Détails IP 8.230.0.135

Synthèse exécutive

Profil de menace

Score de risque 78/100 Élevé

Première observation 04/06/2026 20:28 UTC

Dernière observation 04/06/2026 20:29 UTC

Événements (période) 766

MITRE ATT&CK principal —

risque 56/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Comparaison ASN / FAI

ASN 396982 · 8.230.0.0/19 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 766 événements sur la période pour cette IP.

162.216.150.59 Scanner web 21/06/2026 00:38 UTC
162.216.149.213 Scanner web 21/06/2026 00:37 UTC
35.203.210.40 Scanner web 21/06/2026 00:37 UTC
205.210.31.172 Sonde port 21/06/2026 00:36 UTC
35.203.210.75 Scanner web 21/06/2026 00:36 UTC
205.210.31.104 webmin probe 21/06/2026 00:35 UTC
147.185.133.36 Scanner web 21/06/2026 00:35 UTC
147.185.133.191 Scanner web 21/06/2026 00:34 UTC

Événements (filtres)

766

Première observation

04/06/2026 20:28 UTC

Dernière observation

04/06/2026 20:29 UTC

Dernière activité (filtres)

04/06/2026 20:29 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

—

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 383 TLS TCP 383

HTTP

383

TLS

383

Géolocalisation

Origine réseau déclarée

Corée du Sud unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 3000 credential_file_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Aperçu payload

GET /private.key HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML

Port / service

3000

Recommandation

Investiguer

Confiance

100%

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

766 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

766 événement(s) — page 4/16

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
04/06/2026 20:29:08 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 64
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /backend/database.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /backend/database.yml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/database.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backend/database.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Fire Requête brute (extrait) GET /backend/database.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "30f64055157dc1523c27299ce23be3c06ab177dd", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "25a2d98e6a2c7dd23e193680fa9bacac3e7bc9fa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 204, "payload_entropy": 5.2949095199166125, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 64, "tag_count": 4, "anomaly_count": 0, "campaign_key": "473d04a580afb39440a120bd1ec4e3e07cebde80", "event_fingerprint": "691e4d8727577168d5c8a52a170902ef2a425b3c", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1321ad0a029ffe243cfb2e0f8f41e310", "payload_hash": "cd00b1e3d9ef27bf5a3d648934b6ba55", "path_pattern_hash": "093366cc927a8512059dfdc7be5f5e49" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/backend\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Fire", "method": "GET", "path": "\/backend\/database.yml", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/database.yml HTTP\/1.1", "request_sample": "GET \/backend\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Fire", "evidence": { "method": "GET", "path": "\/backend\/database.yml", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/database.yml HTTP\/1.1", "request_sample": "GET \/backend\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Fire", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e9bac66bfc42d37a81351d54076bfeb54044d98c", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��.�5��c��-��!�`�2�KЯ�N1�/�4 fغ2F�� z��A�3UtL��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��.�5��c��-��!�`�2 �KЯ�N1�/�4 fغ2F�� z��A�3UtL��&�+�/�,�0̨̩� �� /5� w �+3&$ (��P�?(=�� ȪH�Y?��a�O Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.851617690595555, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "c5b4990ba4fb75158f24fa3b64ac7a68", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003.\u0018\ufffd\u001a5\ufffd\ufffd\ufffdc\ufffd\ufffd-\ufffd\ufffd!\ufffd`\ufffd2\u000b\ufffdK\u042f\ufffdN1\ufffd\u0004\/\ufffd4 f\u063a2F\ufffd\ufffd\ufffd\ufffd\ufffd\u001a\u000f \ufffd\ufffd\ufffd\u0006z\ufffd\ufffd\u0005\ufffd\b\ufffdA\ufffd3UtL\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003.\u0018\ufffd\u001a5\ufffd\ufffd\ufffdc\ufffd\ufffd-\ufffd\ufffd!\ufffd`\ufffd2\u000b\ufffdK\u042f\ufffdN1\ufffd\u0004\/\ufffd4 f\u063a2F\ufffd\ufffd\ufffd\ufffd\ufffd\u001a\u000f \ufffd\ufffd\ufffd\u0006z\ufffd\ufffd\u0005\ufffd\b\ufffdA\ufffd3UtL\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 (\ufffd\ufffd\ufffd\u0011\ufffd\ufffdP\ufffd\u0014?(=\ufffd\ufffd\u0011 \ufffd\ufffd\u022aH\ufffdY?\ufffd\ufffd\ufffda\ufffdO\u0007", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003.\u0018\ufffd\u001a5\ufffd\ufffd\ufffdc\ufffd\ufffd-\ufffd\ufffd!\ufffd`\ufffd2\u000b\ufffdK\u042f\ufffdN1\ufffd\u0004\/\ufffd4 f\u063a2F\ufffd\ufffd\ufffd\ufffd\ufffd\u001a\u000f \ufffd\ufffd\ufffd\u0006z\ufffd\ufffd\u0005\ufffd\b\ufffdA\ufffd3UtL\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003.\u0018\ufffd\u001a5\ufffd\ufffd\ufffdc\ufffd\ufffd-\ufffd\ufffd!\ufffd`\ufffd2\u000b\ufffdK\u042f\ufffdN1\ufffd\u0004\/\ufffd4 f\u063a2F\ufffd\ufffd\ufffd\ufffd\ufffd\u001a\u000f \ufffd\ufffd\ufffd\u0006z\ufffd\ufffd\u0005\ufffd\b\ufffdA\ufffd3UtL\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 (\ufffd\ufffd\ufffd\u0011\ufffd\ufffdP\ufffd\u0014?(=\ufffd\ufffd\u0011 \ufffd\ufffd\u022aH\ufffdY?\ufffd\ufffd\ufffda\ufffdO\u0007", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003.\u0018\ufffd\u001a5\ufffd\ufffd\ufffdc\ufffd\ufffd-\ufffd\ufffd!\ufffd`\ufffd2\u000b\ufffdK\u042f\ufffdN1\ufffd\u0004\/\ufffd4 f\u063a2F\ufffd\ufffd\ufffd\ufffd\ufffd\u001a\u000f \ufffd\ufffd\ufffd\u0006z\ufffd\ufffd\u0005\ufffd\b\ufffdA\ufffd3UtL\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "282f285a4a1b3d76fbac962c86f89d684212c805", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /application.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /application.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /application.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.82 Safari/537.36 OPR/29.0.1795.41 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/5 Requête brute (extrait) GET /application.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.82 Safari/537.36 OPR/29.0.1795.41 Accept-Charset: utf-8 Accept-Encoding: gzip Conn Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "c4bf57bd739bb02823fb036b11f2278a0396fb9a", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "0b5572e340ceab13ef54a299786d05b13bd45040", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 273, "payload_entropy": 5.424510198599184, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d7edc5850a38d3594957ded838e838a642524353", "event_fingerprint": "f411ea7d4ac17dd841bd3cd246ed6bec718c5648", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2a54b417612f59356c0ee2623b71e6a7", "payload_hash": "4bf6c9f5da33b282df8d78839e0db1c9", "path_pattern_hash": "10b0d9b92f796dbf4c156490a626ae9a" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/application.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/5", "method": "GET", "path": "\/application.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.82 Safari\/537.36 OPR\/29.0.1795.41", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.json HTTP\/1.1", "request_sample": "GET \/application.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.82 Safari\/537.36 OPR\/29.0.1795.41\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/application.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/application.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.82 Safari\/537.36 OPR\/29.0.1795.41", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.json HTTP\/1.1", "request_sample": "GET \/application.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.82 Safari\/537.36 OPR\/29.0.1795.41\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/application.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f7aaa09594865b8dea838205cf2ef9079b10ce46", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��kj�iZg��8&n��c� ��#$I� E椑c��z�WV�i:ҟ��(o�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��kj�iZg��8&n��c� ��#$I� E椑c��z�WV�i:ҟ��(o�&�+�/�,�0̨̩� �� /5� w �+3&$ ��2A�� 5��p�� l��B�BYb Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.802639671945542, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "eeaefd4eca477563dc7f89f9a1f7c524", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003kj\ufffdi\u0010Zg\ufffd\ufffd\ufffd8&\u001fn\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdc\ufffd\n\ufffd\ufffd\u0001\ufffd#$I\ufffd E\u6911c\u0014\ufffd\b\ufffd\u0014\ufffdz\ufffdWV\ufffdi:\u049f\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(o\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003kj\ufffdi\u0010Zg\ufffd\ufffd\ufffd8&\u001fn\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdc\ufffd\n\ufffd\ufffd\u0001\ufffd#$I\ufffd E\u6911c\u0014\ufffd\b\ufffd\u0014\ufffdz\ufffdWV\ufffdi:\u049f\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(o\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0000\ufffd\ufffd2A\ufffd\ufffd\ufffd\ufffd\u000b\ufffd5\ufffd\ufffdp\ufffd\ufffd\ufffd\u001b\f\ufffd\t\ufffdl\ufffd\ufffdB\ufffd\u0007BYb", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003kj\ufffdi\u0010Zg\ufffd\ufffd\ufffd8&\u001fn\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdc\ufffd\n\ufffd\ufffd\u0001\ufffd#$I\ufffd E\u6911c\u0014\ufffd\b\ufffd\u0014\ufffdz\ufffdWV\ufffdi:\u049f\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(o\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003kj\ufffdi\u0010Zg\ufffd\ufffd\ufffd8&\u001fn\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdc\ufffd\n\ufffd\ufffd\u0001\ufffd#$I\ufffd E\u6911c\u0014\ufffd\b\ufffd\u0014\ufffdz\ufffdWV\ufffdi:\u049f\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(o\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0000\ufffd\ufffd2A\ufffd\ufffd\ufffd\ufffd\u000b\ufffd5\ufffd\ufffdp\ufffd\ufffd\ufffd\u001b\f\ufffd\t\ufffdl\ufffd\ufffdB\ufffd\u0007BYb", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003kj\ufffdi\u0010Zg\ufffd\ufffd\ufffd8&\u001fn\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdc\ufffd\n\ufffd\ufffd\u0001\ufffd#$I\ufffd E\u6911c\u0014\ufffd\b\ufffd\u0014\ufffdz\ufffdWV\ufffdi:\u049f\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(o\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "19f59d57f2a3908be1e90936974670adf9b648e4", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��ԛA��MS��1��\Wb"�Io��7�Ҍ�� Sb0�\|�ٷ~]Qog��3��Q��ɥH&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��ԛA��MS��1��\Wb"�Io��7�Ҍ�� Sb0�\|�ٷ~]Qog��3��Q��ɥH&�+�/�,�0̨̩� �� /5� w �+3&$ �zux��T��-��YA��[P�S�]�#5��[ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.813157084919364, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "73c1abffcb9d6c726d9198e5d17e1998", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u051bA\ufffd\u001f\ufffd\ufffdMS\ufffd\ufffd1\ufffd\ufffd\\Wb\"\ufffdIo\ufffd\ufffd\u001a7\ufffd\u048c\ufffd\u0013\ufffd Sb0\u0016\ufffd\|\ufffd\u0677~]Q\u001cog\ufffd\ufffd\u00043\ufffd\ufffd\ufffd\ufffdQ\ufffd\ufffd\ufffd\u0006\u0265H\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u051bA\ufffd\u001f\ufffd\ufffdMS\ufffd\ufffd1\ufffd\ufffd\\Wb\"\ufffdIo\ufffd\ufffd\u001a7\ufffd\u048c\ufffd\u0013\ufffd Sb0\u0016\ufffd\|\ufffd\u0677~]Q\u001cog\ufffd\ufffd\u00043\ufffd\ufffd\ufffd\ufffdQ\ufffd\ufffd\ufffd\u0006\u0265H\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdz\u0015ux\ufffd\ufffdT\ufffd\ufffd\ufffd-\ufffd\u000e\ufffdYA\ufffd\ufffd\ufffd[P\ufffdS\ufffd]\ufffd#5\ufffd\ufffd[", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u051bA\ufffd\u001f\ufffd\ufffdMS\ufffd\ufffd1\ufffd\ufffd\\Wb\"\ufffdIo\ufffd\ufffd\u001a7\ufffd\u048c\ufffd\u0013\ufffd Sb0\u0016\ufffd\|\ufffd\u0677~]Q\u001cog\ufffd\ufffd\u00043\ufffd\ufffd\ufffd\ufffdQ\ufffd\ufffd\ufffd\u0006\u0265H\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u051bA\ufffd\u001f\ufffd\ufffdMS\ufffd\ufffd1\ufffd\ufffd\\Wb\"\ufffdIo\ufffd\ufffd\u001a7\ufffd\u048c\ufffd\u0013\ufffd Sb0\u0016\ufffd\|\ufffd\u0677~]Q\u001cog\ufffd\ufffd\u00043\ufffd\ufffd\ufffd\ufffdQ\ufffd\ufffd\ufffd\u0006\u0265H\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdz\u0015ux\ufffd\ufffdT\ufffd\ufffd\ufffd-\ufffd\u000e\ufffdYA\ufffd\ufffd\ufffd[P\ufffdS\ufffd]\ufffd#5\ufffd\ufffd[", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u051bA\ufffd\u001f\ufffd\ufffdMS\ufffd\ufffd1\ufffd\ufffd\\Wb\"\ufffdIo\ufffd\ufffd\u001a7\ufffd\u048c\ufffd\u0013\ufffd Sb0\u0016\ufffd\|\ufffd\u0677~]Q\u001cog\ufffd\ufffd\u00043\ufffd\ufffd\ufffd\ufffdQ\ufffd\ufffd\ufffd\u0006\u0265H\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9e33db502d8654cf8aff6ceea41a75ad168a997d", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 46
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 6 Recommandation Surveiller Tags 950470:nosqli-3 net_flood Cible HTTP GET /app.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /app.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.json HTTP/1.1` User-Agent Nokia6630/1.0 (2.3.129) SymbianOS/8.0 Series60/2.6 Profile/MIDP-2.0 Configuration/CLDC-1.1 Règles WAF nosqli-3 Payload (extrait) GET /app.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Nokia6630/1.0 (2.3.129) SymbianOS/8.0 Series60/2.6 Profile/MIDP-2.0 C Requête brute (extrait) GET /app.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Nokia6630/1.0 (2.3.129) SymbianOS/8.0 Series60/2.6 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "72d18b5b42e0b8918bb2e4f0266323ca61f53316", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "cf8222be2fbd8af767cbac7dc8c95f4a17eb0111", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 218, "payload_entropy": 5.30789677392107, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 2, "anomaly_count": 0, "campaign_key": "27cd8a4b8c73e99d4a99fc799bb1e5c794a76834", "event_fingerprint": "ab11b8ef67c42f011efcb683679bde3bc7d47709", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "493b3c1bf47ba572674c07c0305dd446", "payload_hash": "5ed9dd303bc3df3c3424ffe78116f03f", "path_pattern_hash": "dd0b61b983772942d4c3984314456196" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/app.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Nokia6630\/1.0 (2.3.129) SymbianOS\/8.0 Series60\/2.6 Profile\/MIDP-2.0 C", "method": "GET", "path": "\/app.json", "user_agent": "Nokia6630\/1.0 (2.3.129) SymbianOS\/8.0 Series60\/2.6 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/app.json HTTP\/1.1", "request_sample": "GET \/app.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Nokia6630\/1.0 (2.3.129) SymbianOS\/8.0 Series60\/2.6 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Nokia6630\/1.0 (2.3.129) SymbianOS\/8.0 Series60\/2.6 Profile\/MIDP-2.0 C", "evidence": { "method": "GET", "path": "\/app.json", "user_agent": "Nokia6630\/1.0 (2.3.129) SymbianOS\/8.0 Series60\/2.6 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/app.json HTTP\/1.1", "request_sample": "GET \/app.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Nokia6630\/1.0 (2.3.129) SymbianOS\/8.0 Series60\/2.6 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Nokia6630\/1.0 (2.3.129) SymbianOS\/8.0 Series60\/2.6 Profile\/MIDP-2.0 C", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d260cafe96f255cfea70a4b5ec5d192a44b93a71", "ban_policy": "advisory_monitor", "tags_list": [ "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��P$�:�3◛��//�uQ+W�}@j��W N_�h�-�]+z��&ag�Ȥ��a��R=�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��P$�:�3◛��//�uQ+W�}@j��W N_�h�-�]+z��&ag�Ȥ��a� �R=�&�+�/�,�0̨̩� �� /5� w �+3&$ A�x ?1�d�r�LD��9T��%�u�� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.804958070905965, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "ccd88459e81b6f5d8225af14a6331d4b", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffd\u0005P$\ufffd:\ufffd3\u25db\ufffd\ufffd\ufffd\u0006\/\/\ufffduQ+W\ufffd}@j\ufffd\ufffd\u001bW N_\ufffdh\ufffd-\ufffd]+z\ufffd\ufffd\ufffd&ag\ufffd\u0224\ufffd\ufffd\ufffd\ufffda\ufffd\u0014\u000b\ufffdR=\ufffd\u0000\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffd\u0005P$\ufffd:\ufffd3\u25db\ufffd\ufffd\ufffd\u0006\/\/\ufffduQ+W\ufffd}@j\ufffd\ufffd\u001bW N_\ufffdh\ufffd-\ufffd]+z\ufffd\ufffd\ufffd&ag\ufffd\u0224\ufffd\ufffd\ufffd\ufffda\ufffd\u0014\u000b\ufffdR=\ufffd\u0000\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 A\ufffd\u0003x\u0011 \u0010?1\ufffdd\ufffdr\ufffdLD\ufffd\ufffd9T\ufffd\ufffd%\ufffdu\ufffd\ufffd\ufffd\u001d\ufffd\n", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffd\u0005P$\ufffd:\ufffd3\u25db\ufffd\ufffd\ufffd\u0006\/\/\ufffduQ+W\ufffd}@j\ufffd\ufffd\u001bW N_\ufffdh\ufffd-\ufffd]+z\ufffd\ufffd\ufffd&ag\ufffd\u0224\ufffd\ufffd\ufffd\ufffda\ufffd\u0014\u000b\ufffdR=\ufffd\u0000\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffd\u0005P$\ufffd:\ufffd3\u25db\ufffd\ufffd\ufffd\u0006\/\/\ufffduQ+W\ufffd}@j\ufffd\ufffd\u001bW N_\ufffdh\ufffd-\ufffd]+z\ufffd\ufffd\ufffd&ag\ufffd\u0224\ufffd\ufffd\ufffd\ufffda\ufffd\u0014\u000b\ufffdR=\ufffd\u0000\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 A\ufffd\u0003x\u0011 \u0010?1\ufffdd\ufffdr\ufffdLD\ufffd\ufffd9T\ufffd\ufffd%\ufffdu\ufffd\ufffd\ufffd\u001d\ufffd\n", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffd\u0005P$\ufffd:\ufffd3\u25db\ufffd\ufffd\ufffd\u0006\/\/\ufffduQ+W\ufffd}@j\ufffd\ufffd\u001bW N_\ufffdh\ufffd-\ufffd]+z\ufffd\ufffd\ufffd&ag\ufffd\u0224\ufffd\ufffd\ufffd\ufffda\ufffd\u0014\u000b\ufffdR=\ufffd\u0000\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "feff91b869083cadcb73c7f13319682115cd3d8e", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /app.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /app.yaml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.yaml HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.yaml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/ Requête brute (extrait) GET /app.yaml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "3a9bcdd3dc2905bd8ddd2bff52683409793493aa", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "4f8d8575094a0d78fe84167500fc46c65e6b83e6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.380942097644299, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "899eee33290db54b7be0e362049a6d9e9fea0c66", "event_fingerprint": "d5e921f8e5804a552614b05ede6cffbad4c42a6a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "577b9f58c4e51138d6e0cd22cf64da14", "payload_hash": "84a20db4af93195cd1ec49618232543a", "path_pattern_hash": "930f4fba7ea3b5abd5a572fe6e72bfd6" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/app.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/", "method": "GET", "path": "\/app.yaml", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D60 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.yaml HTTP\/1.1", "request_sample": "GET \/app.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D60 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/app.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/app.yaml", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D60 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.yaml HTTP\/1.1", "request_sample": "GET \/app.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D60 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/app.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "486c051581fbe340cbba75b6d8b4a62110a5cb83", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��ü�5m��:�)��P1�>�:�� ޶i�=��)<��:�i7M�`�P��$C]�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��ü�5m��: �)�� P1�>�:�� ޶i�=��)<��:�i7M�`�P��$C]�&�+�/�,�0̨̩� �� /5� w �+3&$ 6\f��O�;�6(��(�&4qޤ�i�4�M� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.79425574103678, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "bb164cb224708d01f4e7f31f5df9a817", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u00fc\ufffd5m\ufffd\ufffd:\u000b\ufffd)\ufffd\ufffd\f\u0012\f\u0004\ufffd\ufffdP1\ufffd>\ufffd:\ufffd\ufffd\ufffd \u07b6i\ufffd=\u0012\ufffd\ufffd\ufffd)<\ufffd\ufffd\ufffd\ufffd:\ufffdi\u00077M\ufffd`\ufffdP\ufffd\ufffd$\u0010C]\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u00fc\ufffd5m\ufffd\ufffd:\u000b\ufffd)\ufffd\ufffd\f\u0012\f\u0004\ufffd\ufffdP1\ufffd>\ufffd:\ufffd\ufffd\ufffd \u07b6i\ufffd=\u0012\ufffd\ufffd\ufffd)<\ufffd\ufffd\ufffd\ufffd:\ufffdi\u00077M\ufffd`\ufffdP\ufffd\ufffd$\u0010C]\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 6\\f\ufffd\ufffdO\ufffd;\ufffd6(\ufffd\ufffd(\ufffd&4q\u0007\u07a4\ufffdi\ufffd\u0007\u00134\ufffdM\ufffd\u0005", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u00fc\ufffd5m\ufffd\ufffd:\u000b\ufffd)\ufffd\ufffd\f\u0012\f\u0004\ufffd\ufffdP1\ufffd>\ufffd:\ufffd\ufffd\ufffd \u07b6i\ufffd=\u0012\ufffd\ufffd\ufffd)<\ufffd\ufffd\ufffd\ufffd:\ufffdi\u00077M\ufffd`\ufffdP\ufffd\ufffd$\u0010C]\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u00fc\ufffd5m\ufffd\ufffd:\u000b\ufffd)\ufffd\ufffd\f\u0012\f\u0004\ufffd\ufffdP1\ufffd>\ufffd:\ufffd\ufffd\ufffd \u07b6i\ufffd=\u0012\ufffd\ufffd\ufffd)<\ufffd\ufffd\ufffd\ufffd:\ufffdi\u00077M\ufffd`\ufffdP\ufffd\ufffd$\u0010C]\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 6\\f\ufffd\ufffdO\ufffd;\ufffd6(\ufffd\ufffd(\ufffd&4q\u0007\u07a4\ufffdi\ufffd\u0007\u00134\ufffdM\ufffd\u0005", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u00fc\ufffd5m\ufffd\ufffd:\u000b\ufffd)\ufffd\ufffd\f\u0012\f\u0004\ufffd\ufffdP1\ufffd>\ufffd:\ufffd\ufffd\ufffd \u07b6i\ufffd=\u0012\ufffd\ufffd\ufffd)<\ufffd\ufffd\ufffd\ufffd:\ufffdi\u00077M\ufffd`\ufffdP\ufffd\ufffd$\u0010C]\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9aed5156518973d9b7508ed69c1e324672b99e5a", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /app.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /app.yml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /app.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "d52ae5fd0587f0a8d63d73f658e4cfe1f696d2c4", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "597dea0ab924c152a2925645cc353ecd4a8eea78", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.414507436904811, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "899eee33290db54b7be0e362049a6d9e9fea0c66", "event_fingerprint": "0454f684f71d8aa7a2e56a7f3918e37e76d51273", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "34d1b3e31734a3b6e2d4550317d88d1a", "payload_hash": "b0958e3c80a17e8374d4ffe83485857c", "path_pattern_hash": "62ed182b1af6b760118a2c86d5130318" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/app.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.yml HTTP\/1.1", "request_sample": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/app.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.yml HTTP\/1.1", "request_sample": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "628e12f40ea97580fdb91d789b997d7606c69655", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��W�}�6�%u��hٵe�D �� k�٦޳��$��b��%4qӄ�q&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��W�}�6�%u��hٵe�D �� k�٦޳��$��b��%4qӄ�q&�+�/�,�0̨̩� �� /5� w �+3&$ 3��'�̍7jΫصt�v��I�sSR��# Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.877659020038768, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "c96065ed9ed6d78edac71f48644b937e", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\ufffd\u0011W\ufffd}\ufffd6\ufffd%u\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\u0019h\u0675e\ufffdD\u0005 \u0011\ufffd\ufffd\ufffd\ufffd k\ufffd\u0666\u07b3\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0001\ufffd\u0010\ufffd\ufffd\ufffd\u0016b\ufffd\ufffd%4q\u04c4\ufffdq\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\ufffd\u0011W\ufffd}\ufffd6\ufffd%u\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\u0019h\u0675e\ufffdD\u0005 \u0011\ufffd\ufffd\ufffd\ufffd k\ufffd\u0666\u07b3\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0001\ufffd\u0010\ufffd\ufffd\ufffd\u0016b\ufffd\ufffd%4q\u04c4\ufffdq\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 3\ufffd\ufffd\ufffd'\ufffd\u001f\u030d7j\u03ab\u0635t\ufffdv\ufffd\ufffdI\u001e\u001a\ufffdsSR\ufffd\ufffd\ufffd\ufffd#", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\ufffd\u0011W\ufffd}\ufffd6\ufffd%u\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\u0019h\u0675e\ufffdD\u0005 \u0011\ufffd\ufffd\ufffd\ufffd k\ufffd\u0666\u07b3\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0001\ufffd\u0010\ufffd\ufffd\ufffd\u0016b\ufffd\ufffd%4q\u04c4\ufffdq\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\ufffd\u0011W\ufffd}\ufffd6\ufffd%u\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\u0019h\u0675e\ufffdD\u0005 \u0011\ufffd\ufffd\ufffd\ufffd k\ufffd\u0666\u07b3\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0001\ufffd\u0010\ufffd\ufffd\ufffd\u0016b\ufffd\ufffd%4q\u04c4\ufffdq\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 3\ufffd\ufffd\ufffd'\ufffd\u001f\u030d7j\u03ab\u0635t\ufffdv\ufffd\ufffdI\u001e\u001a\ufffdsSR\ufffd\ufffd\ufffd\ufffd#", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\ufffd\u0011W\ufffd}\ufffd6\ufffd%u\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\u0019h\u0675e\ufffdD\u0005 \u0011\ufffd\ufffd\ufffd\ufffd k\ufffd\u0666\u07b3\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0001\ufffd\u0010\ufffd\ufffd\ufffd\u0016b\ufffd\ufffd%4q\u04c4\ufffdq\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "270f69826573da5552f327d616acf97d155fab87", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /appsettings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /appsettings.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /appsettings.json HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/75.0.3770.142 Chrome/75.0.3770.142 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /appsettings.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /appsettings.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/75.0.3770.142 Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "cc917cf6074a981fb70c378babfd8df895e5c3b7", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "1bb70c4d477e16ecbd1bc700e3f66fae61eb4898", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 269, "payload_entropy": 5.411816024843759, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d7edc5850a38d3594957ded838e838a642524353", "event_fingerprint": "5791f0a012f6bda59965b0a1f9a438160e9d0772", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "95ddbe0b148dd48d21844dff1d496cdc", "payload_hash": "109911663c7c4ed274189fe505bc07ee", "path_pattern_hash": "8a0b1852fc2be645a82e96b3e5fdd755" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/appsettings.json", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) snap Chromium\/75.0.3770.142 Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.json HTTP\/1.1", "request_sample": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) snap Chromium\/75.0.3770.142 Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/appsettings.json", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) snap Chromium\/75.0.3770.142 Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.json HTTP\/1.1", "request_sample": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) snap Chromium\/75.0.3770.142 Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "834258109673b9e4093ba00b05dd2efa5f9b3fe3", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��g$��(��8 �� xp� .��V%�[�� 9T�'�;�4-D�r�;�x"Q^��Urq��`�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��g$��(��8 �� xp� .��V%�[�� 9T�'�;�4-D�r�;�x"Q^��Urq��`�&�+�/�,�0̨̩� �� /5� w �+3&$ ��<�� Uj?=>\|rp��+�=} Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.880914794592105, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "caaca20df81121c2876d18f7af791af4", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003g$\ufffd\u0011\ufffd(\ufffd\ufffd\ufffd\ufffd8\r\ufffd\ufffd xp\u0007\ufffd\n\u0006.\ufffd\ufffd\ufffdV%\ufffd[\ufffd\ufffd \ufffd9T\ufffd'\ufffd;\ufffd4\u0013-D\ufffdr\ufffd;\ufffdx\"Q^\ufffd\ufffdUrq\ufffd\u0012\u0011\ufffd`\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003g$\ufffd\u0011\ufffd(\ufffd\ufffd\ufffd\ufffd8\r\ufffd\ufffd xp\u0007\ufffd\n\u0006.\ufffd\ufffd\ufffdV%\ufffd[\ufffd\ufffd \ufffd9T\ufffd'\ufffd;\ufffd4\u0013-D\ufffdr\ufffd;\ufffdx\"Q^\ufffd\ufffdUrq\ufffd\u0012\u0011\ufffd`\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0015\ufffd<\ufffd\ufffd\ufffd\ufffd\ufffd\u000b\ufffd\ufffdUj?=>\u0014\|rp\ufffd\u0003\ufffd\ufffd\ufffd+\u001b\ufffd=\u0011}", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003g$\ufffd\u0011\ufffd(\ufffd\ufffd\ufffd\ufffd8\r\ufffd\ufffd xp\u0007\ufffd\n\u0006.\ufffd\ufffd\ufffdV%\ufffd[\ufffd\ufffd \ufffd9T\ufffd'\ufffd;\ufffd4\u0013-D\ufffdr\ufffd;\ufffdx\"Q^\ufffd\ufffdUrq\ufffd\u0012\u0011\ufffd`\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003g$\ufffd\u0011\ufffd(\ufffd\ufffd\ufffd\ufffd8\r\ufffd\ufffd xp\u0007\ufffd\n\u0006.\ufffd\ufffd\ufffdV%\ufffd[\ufffd\ufffd \ufffd9T\ufffd'\ufffd;\ufffd4\u0013-D\ufffdr\ufffd;\ufffdx\"Q^\ufffd\ufffdUrq\ufffd\u0012\u0011\ufffd`\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0015\ufffd<\ufffd\ufffd\ufffd\ufffd\ufffd\u000b\ufffd\ufffdUj?=>\u0014\|rp\ufffd\u0003\ufffd\ufffd\ufffd+\u001b\ufffd=\u0011}", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003g$\ufffd\u0011\ufffd(\ufffd\ufffd\ufffd\ufffd8\r\ufffd\ufffd xp\u0007\ufffd\n\u0006.\ufffd\ufffd\ufffdV%\ufffd[\ufffd\ufffd \ufffd9T\ufffd'\ufffd;\ufffd4\u0013-D\ufffdr\ufffd;\ufffdx\"Q^\ufffd\ufffdUrq\ufffd\u0012\u0011\ufffd`\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9d793e87a7e80d72018c1385ecbe72253f32924b", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��^b��F�x�k�q\]jn�t!��Z�7 �%�sN�Fr=B��m�x^!��o�D%:��/&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��^b�� F�x�k�q\]jn�t!��Z�7 �%�sN�Fr=B��m�x^!��o�D%:��/&�+�/�,�0̨̩� �� /5� w �+3&$ �UM\|:B�ݤ�5�ì�ބ��s\��M Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.891097778809696, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "bc6e6a0fad319d0cd8218f2309d267bf", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003^b\ufffd\ufffd\u0005\f\ufffd\ufffd\ufffdF\ufffdx\ufffdk\ufffdq\\]j\u0011n\ufffdt!\ufffd\u0013\ufffdZ\ufffd7\r \ufffd%\ufffdsN\ufffdFr=B\ufffd\ufffdm\ufffdx^!\ufffd\ufffd\u000e\ufffd\ufffd\ufffdo\ufffdD%:\ufffd\ufffd\/\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003^b\ufffd\ufffd\u0005\f\ufffd\ufffd\ufffdF\ufffdx\ufffdk\ufffdq\\]j\u0011n\ufffdt!\ufffd\u0013\ufffdZ\ufffd7\r \ufffd%\ufffdsN\ufffdFr=B\ufffd\ufffdm\ufffdx^!\ufffd\ufffd\u000e\ufffd\ufffd\ufffdo\ufffdD%:\ufffd\ufffd\/\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0011\ufffdUM\|:B\ufffd\u0764\ufffd5\ufffd\u00ec\ufffd\ue127\u0784\ufffd\ufffd\b\ufffd\u0002\ufffds\\\ufffd\ufffdM", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003^b\ufffd\ufffd\u0005\f\ufffd\ufffd\ufffdF\ufffdx\ufffdk\ufffdq\\]j\u0011n\ufffdt!\ufffd\u0013\ufffdZ\ufffd7\r \ufffd%\ufffdsN\ufffdFr=B\ufffd\ufffdm\ufffdx^!\ufffd\ufffd\u000e\ufffd\ufffd\ufffdo\ufffdD%:\ufffd\ufffd\/\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003^b\ufffd\ufffd\u0005\f\ufffd\ufffd\ufffdF\ufffdx\ufffdk\ufffdq\\]j\u0011n\ufffdt!\ufffd\u0013\ufffdZ\ufffd7\r \ufffd%\ufffdsN\ufffdFr=B\ufffd\ufffdm\ufffdx^!\ufffd\ufffd\u000e\ufffd\ufffd\ufffdo\ufffdD%:\ufffd\ufffd\/\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0011\ufffdUM\|:B\ufffd\u0764\ufffd5\ufffd\u00ec\ufffd\ue127\u0784\ufffd\ufffd\b\ufffd\u0002\ufffds\\\ufffd\ufffdM", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003^b\ufffd\ufffd\u0005\f\ufffd\ufffd\ufffdF\ufffdx\ufffdk\ufffdq\\]j\u0011n\ufffdt!\ufffd\u0013\ufffdZ\ufffd7\r \ufffd%\ufffdsN\ufffdFr=B\ufffd\ufffdm\ufffdx^!\ufffd\ufffd\u000e\ufffd\ufffd\ufffdo\ufffdD%:\ufffd\ufffd\/\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8f79ad2cdb1aea72a0747c254627f61577baab6f", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��1�K'-�22(Y��1�O+ Q��;�)�3g+R hd��bL䚄.�<�)��v�`�n�6y8[�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��1�K'-�2 2(Y��1�O+ Q��;�)�3g+R hd��bL䚄.�<�)��v�`�n�6y8[�&�+�/�,�0̨̩� �� /5� w �+3&$ �\r�1f�{��_GE?˰�6��$>�;؍ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.876122966024214, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "4e94ddec316f9f95aec7926ed5ecf6f0", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00031\ufffdK'-\ufffd2\f2(Y\ufffd\ufffd1\ufffdO+\n\u0010Q\ufffd\ufffd\u0003;\ufffd)\ufffd3g+R hd\ufffd\u0014\ufffdbL\u4684.\ufffd<\ufffd)\ufffd\ufffd\u0013\ufffdv\ufffd`\ufffdn\ufffd6\u0011y8[\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00031\ufffdK'-\ufffd2\f2(Y\ufffd\ufffd1\ufffdO+\n\u0010Q\ufffd\ufffd\u0003;\ufffd)\ufffd3g+R hd\ufffd\u0014\ufffdbL\u4684.\ufffd<\ufffd)\ufffd\ufffd\u0013\ufffdv\ufffd`\ufffdn\ufffd6\u0011y8[\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\\r\ufffd1f\ufffd\u0017\u000f\u0002{\ufffd\ufffd_GE?\u02f0\ufffd6\ufffd\ufffd\u0004$>\ufffd\u0006;\u060d\n", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00031\ufffdK'-\ufffd2\f2(Y\ufffd\ufffd1\ufffdO+\n\u0010Q\ufffd\ufffd\u0003;\ufffd)\ufffd3g+R hd\ufffd\u0014\ufffdbL\u4684.\ufffd<\ufffd)\ufffd\ufffd\u0013\ufffdv\ufffd`\ufffdn\ufffd6\u0011y8[\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00031\ufffdK'-\ufffd2\f2(Y\ufffd\ufffd1\ufffdO+\n\u0010Q\ufffd\ufffd\u0003;\ufffd)\ufffd3g+R hd\ufffd\u0014\ufffdbL\u4684.\ufffd<\ufffd)\ufffd\ufffd\u0013\ufffdv\ufffd`\ufffdn\ufffd6\u0011y8[\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\\r\ufffd1f\ufffd\u0017\u000f\u0002{\ufffd\ufffd_GE?\u02f0\ufffd6\ufffd\ufffd\u0004$>\ufffd\u0006;\u060d\n", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00031\ufffdK'-\ufffd2\f2(Y\ufffd\ufffd1\ufffdO+\n\u0010Q\ufffd\ufffd\u0003;\ufffd)\ufffd3g+R hd\ufffd\u0014\ufffdbL\u4684.\ufffd<\ufffd)\ufffd\ufffd\u0013\ufffdv\ufffd`\ufffdn\ufffd6\u0011y8[\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "784c734ddf13262b11277f55c51a0deea8040468", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��OL�6:K?\&AmݜVijpJ%�s�}'Gb t� ��o�3�� J��n7�ݥ�s��+ۅK�u&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��OL�6:K?\&AmݜVijpJ%�s�}'Gb t� ��o�3�� J��n7�ݥ�s��+ۅK�u&�+�/�,�0̨̩� �� /5� w �+3&$ {�6諟'�qFQz�~N�SJ�d��#,�7g Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.885373655151746, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "237d8ad4907a02b5945febdadbf3fe1a", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003OL\ufffd6:K?\\\u0012&Am\u075cVijpJ%\ufffds\ufffd}\u000f'Gb\rt\ufffd \ufffd\ufffd\ufffd\ufffdo\ufffd3\ufffd\ufffd\r\ufffd\ufffdJ\ufffd\ufffd\u0010n7\ufffd\u0765\ufffds\ufffd\u001b\ufffd+\u06c5K\ufffdu\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003OL\ufffd6:K?\\\u0012&Am\u075cVijpJ%\ufffds\ufffd}\u000f'Gb\rt\ufffd \ufffd\ufffd\ufffd\ufffdo\ufffd3\ufffd\ufffd\r\ufffd\ufffdJ\ufffd\ufffd\u0010n7\ufffd\u0765\ufffds\ufffd\u001b\ufffd+\u06c5K\ufffdu\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001c{\ufffd6\u8adf\u0016\u0014'\ufffdqFQz\ufffd~N\ufffdSJ\u0002\ufffdd\ufffd\ufffd\u0015#,\ufffd7g", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003OL\ufffd6:K?\\\u0012&Am\u075cVijpJ%\ufffds\ufffd}\u000f'Gb\rt\ufffd \ufffd\ufffd\ufffd\ufffdo\ufffd3\ufffd\ufffd\r\ufffd\ufffdJ\ufffd\ufffd\u0010n7\ufffd\u0765\ufffds\ufffd\u001b\ufffd+\u06c5K\ufffdu\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003OL\ufffd6:K?\\\u0012&Am\u075cVijpJ%\ufffds\ufffd}\u000f'Gb\rt\ufffd \ufffd\ufffd\ufffd\ufffdo\ufffd3\ufffd\ufffd\r\ufffd\ufffdJ\ufffd\ufffd\u0010n7\ufffd\u0765\ufffds\ufffd\u001b\ufffd+\u06c5K\ufffdu\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001c{\ufffd6\u8adf\u0016\u0014'\ufffdqFQz\ufffd~N\ufffdSJ\u0002\ufffdd\ufffd\ufffd\u0015#,\ufffd7g", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003OL\ufffd6:K?\\\u0012&*Am\u075cVijpJ%\ufffds\ufffd}\u000f'Gb\rt\ufffd \ufffd\ufffd\ufffd\ufffdo\ufffd3\ufffd\ufffd\r\ufffd\ufffdJ\ufffd\ufffd\u0010n7\ufffd\u0765\ufffds\ufffd\u001b\ufffd+\u06c5K\ufffdu\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bfb42eab9d031fffc50ec3321c98d544ef28407d", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /appsettings.Production.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /appsettings.Production.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /appsettings.Production.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; moto g(7) power) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /appsettings.Production.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 9; moto g(7) power) Ap Requête brute (extrait) GET /appsettings.Production.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 9; moto g(7) power) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "8d9aefca90a4afdb3f54f80a5a9d80f11575e843", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "3ae157cd8c43defb5d30e0d7c5c707aa388091b2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.364938150791095, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "899eee33290db54b7be0e362049a6d9e9fea0c66", "event_fingerprint": "5e886c6ce000edfdb08d0417813fa68c2a2da32e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6e08b7017e8840e4cb9ed35fdf5df222", "payload_hash": "b354100baa5453376bd8a75966040cb9", "path_pattern_hash": "650438fe08df7df13d88963bd8b41670" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/appsettings.Production.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) power) Ap", "method": "GET", "path": "\/appsettings.Production.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(7) power) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.Production.json HTTP\/1.1", "request_sample": "GET \/appsettings.Production.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) power) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/appsettings.Production.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) power) Ap", "evidence": { "method": "GET", "path": "\/appsettings.Production.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(7) power) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.Production.json HTTP\/1.1", "request_sample": "GET \/appsettings.Production.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) power) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/appsettings.Production.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) power) Ap", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0cd6acf5b8c4c68ada67fc25c6e20aa1302584e1", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��쒦;�P�q`�pL4��l��REN �b�:��˹��1�6��âO�@�d�Տ p��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��쒦;�P�q`�pL4��l��REN �b�:��˹��1�6��âO�@�d�Տ p��&�+�/�,�0̨̩� �� /5� w �+3&$ g��苺j~3�~gU ?!�"Sg�=�� ob�] Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.891962385572651, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "04b2de31b6b96d3f09ea2707139f3358", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\uc4a6;\ufffdP\ufffdq`\ufffdpL4\ufffd\ufffdl\ufffd\ufffdREN \ufffdb\ufffd:\ufffd\ufffd\u02f9\ufffd\ufffd1\ufffd6\ufffd\ufffd\u00e2O\ufffd@\ufffdd\u0006\ufffd\u054f\tp\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\uc4a6;\ufffdP\ufffdq`\ufffdpL4\ufffd\ufffdl\ufffd\ufffdREN \ufffdb\ufffd:\ufffd\ufffd\u02f9\ufffd\ufffd1\ufffd6\ufffd\ufffd\u00e2O\ufffd@\ufffdd\u0006\ufffd\u054f\tp\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 g\ufffd\ufffd\ufffd\ufffd\u82faj~3\ufffd~gU\r?!\ufffd\"Sg\ufffd\b=\ufffd\ufffd\nob\ufffd]", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\uc4a6;\ufffdP\ufffdq`\ufffdpL4\ufffd\ufffdl\ufffd\ufffdREN \ufffdb\ufffd:\ufffd\ufffd\u02f9\ufffd\ufffd1\ufffd6\ufffd\ufffd\u00e2O\ufffd@\ufffdd\u0006\ufffd\u054f\tp\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\uc4a6;\ufffdP\ufffdq`\ufffdpL4\ufffd\ufffdl\ufffd\ufffdREN \ufffdb\ufffd:\ufffd\ufffd\u02f9\ufffd\ufffd1\ufffd6\ufffd\ufffd\u00e2O\ufffd@\ufffdd\u0006\ufffd\u054f\tp\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 g\ufffd\ufffd\ufffd\ufffd\u82faj~3\ufffd~gU\r?!\ufffd\"Sg\ufffd\b=\ufffd\ufffd\nob\ufffd]", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\uc4a6;\ufffdP\ufffdq`\ufffdpL4\ufffd\ufffdl\ufffd\ufffdREN \ufffdb\ufffd:\ufffd\ufffd\u02f9\ufffd\ufffd1\ufffd6\ufffd\ufffd\u00e2O\ufffd@\ufffdd\u0006\ufffd\u054f\tp\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b8b2ad3b026a586bf2533e98755956b31031d9d0", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��h��P5�@�8}��qF��"�{%nW�� B�L\|��Y�^�J�)F�E��f{�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��h��P5�@�8}��qF��"�{%nW�� B�L\|��Y�^�J�)F�E��f{�&�+�/�,�0̨̩� �� /5� w �+3&$ #>9IV��U��gwm��y�,��G�\ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.798791619483019, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "41e3441a5988f4ab83ca64e4f08e3919", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003h\u001f\ufffd\ufffd\ufffd\ufffdP\u001e5\ufffd@\ufffd\u00128}\ufffd\ufffdqF\ufffd\ufffd\"\ufffd{%nW\u0016\ufffd\ufffd\ufffd\n \ufffd\u0001\ufffdB\ufffdL\|\ufffd\u0006\ufffd\u0002\u0015\ufffd\ufffd\u0000\u001bY\ufffd^\ufffdJ\ufffd\u0006)F\ufffdE\ufffd\ufffdf{\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003h\u001f\ufffd\ufffd\ufffd\ufffdP\u001e5\ufffd@\ufffd\u00128}\ufffd\ufffdqF\ufffd\ufffd\"\ufffd{%nW\u0016\ufffd\ufffd\ufffd\n \ufffd\u0001\ufffdB\ufffdL\|\ufffd\u0006\ufffd\u0002\u0015\ufffd\ufffd\u0000\u001bY\ufffd^\ufffdJ\ufffd\u0006)F\ufffdE\ufffd\ufffdf{\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0011\b#\u0004>9IV\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffdgwm\ufffd\ufffd\ufffdy\ufffd,\u001b\ufffd\ufffdG\ufffd\\", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003h\u001f\ufffd\ufffd\ufffd\ufffdP\u001e5\ufffd@\ufffd\u00128}\ufffd\ufffdqF\ufffd\ufffd\"\ufffd{%nW\u0016\ufffd\ufffd\ufffd\n \ufffd\u0001\ufffdB\ufffdL\|\ufffd\u0006\ufffd\u0002\u0015\ufffd\ufffd\u0000\u001bY\ufffd^\ufffdJ\ufffd\u0006)F\ufffdE\ufffd\ufffdf{\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003h\u001f\ufffd\ufffd\ufffd\ufffdP\u001e5\ufffd@\ufffd\u00128}\ufffd\ufffdqF\ufffd\ufffd\"\ufffd{%nW\u0016\ufffd\ufffd\ufffd\n \ufffd\u0001\ufffdB\ufffdL\|\ufffd\u0006\ufffd\u0002\u0015\ufffd\ufffd\u0000\u001bY\ufffd^\ufffdJ\ufffd\u0006)F\ufffdE\ufffd\ufffdf{\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0011\b#\u0004>9IV\ufffd\ufffdU*\ufffd\ufffd\ufffd\ufffdgwm\ufffd\ufffd\ufffdy\ufffd,\u001b\ufffd\ufffdG\ufffd\\", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003h\u001f\ufffd\ufffd\ufffd\ufffdP\u001e5\ufffd@\ufffd\u00128}\ufffd\ufffdqF\ufffd\ufffd\"\ufffd{%nW\u0016\ufffd\ufffd\ufffd\n \ufffd\u0001\ufffdB\ufffdL\|\ufffd\u0006\ufffd\u0002\u0015\ufffd\ufffd\u0000\u001bY\ufffd^\ufffdJ\ufffd\u0006)F\ufffdE\ufffd\ufffdf{\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5d08243cfe1bf32f5f2f9e6534e3418fa039986f", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��#��-��i%ML(�#�F�<T��Ե X�3;gZe᏿"\|�N�D_��H��M�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��#��-� ��i%ML( �#�F�<T��Ե X�3;gZe᏿"\|�N�D_��H��M�&�+�/�,�0̨̩� �� /5� w �+3&$ u��\� ��p��?�q�SSn- �� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.900548873540936, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "3d61ebed156aa2de08ca54b857248b4b", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd#\ufffd\u0002\ufffd\u0015\u0005-\ufffd\f\ufffd\ufffd\ufffdi%M\u001eL(\f\ufffd#\ufffdF\ufffd<T\ufffd\ufffd\ufffd\u0535 X\ufffd3;\u000fgZe\u13ff\"\|\ufffdN\ufffdD_\u0013\ufffd\ufffdH\u001b\ufffd\ufffdM\ufffd\u001f\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd#\ufffd\u0002\ufffd\u0015\u0005-\ufffd\f\ufffd\ufffd\ufffdi%M\u001eL(\f\ufffd#\ufffdF\ufffd<T\ufffd\ufffd\ufffd\u0535 X\ufffd3;\u000fgZe\u13ff\"\|\ufffdN\ufffdD_\u0013\ufffd\ufffdH\u001b\ufffd\ufffdM\ufffd\u001f\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 u\ufffd\u001c\ufffd\ufffd\ufffd\ufffd\\\ufffd\u0002\f\n\ufffd\ufffdp\ufffd\ufffd\ufffd\u0011\ufffd?\ufffdq\ufffdSSn-\n\ufffd\ufffd\b", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd#\ufffd\u0002\ufffd\u0015\u0005-\ufffd\f\ufffd\ufffd\ufffdi%M\u001eL(\f\ufffd#\ufffdF\ufffd<T\ufffd\ufffd\ufffd\u0535 X\ufffd3;\u000fgZe\u13ff\"\|\ufffdN\ufffdD_\u0013\ufffd\ufffdH\u001b\ufffd\ufffdM\ufffd\u001f\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd#\ufffd\u0002\ufffd\u0015\u0005-\ufffd\f\ufffd\ufffd\ufffdi%M\u001eL(\f\ufffd#\ufffdF\ufffd<T\ufffd\ufffd\ufffd\u0535 X\ufffd3;\u000fgZe\u13ff\"\|\ufffdN\ufffdD_\u0013\ufffd\ufffdH\u001b\ufffd\ufffdM\ufffd\u001f\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 u\ufffd\u001c\ufffd\ufffd\ufffd\ufffd\\\ufffd\u0002\f\n\ufffd\ufffdp\ufffd\ufffd\ufffd\u0011\ufffd?\ufffdq\ufffdSSn-\n\ufffd\ufffd\b", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd#\ufffd\u0002\ufffd\u0015\u0005-\ufffd\f\ufffd\ufffd\ufffdi%M\u001eL(\f\ufffd#\ufffdF\ufffd<T\ufffd\ufffd\ufffd\u0535 X\ufffd3;\u000fgZe\u13ff\"\|\ufffdN\ufffdD_\u0013\ufffd\ufffdH\u001b\ufffd\ufffdM\ufffd\u001f\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "67ee29d81724ff83e5f73c2a4ce4817be78c3797", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /appsettings.Development.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /appsettings.Development.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /appsettings.Development.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3887.7 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /appsettings.Development.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe Requête brute (extrait) GET /appsettings.Development.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3887.7 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "dce620796822c8d4fac5c00d5c660eb031d9c359", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "b16cc04f90b07f94f00559b7a5b80f472688ce81", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.398156488650844, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "899eee33290db54b7be0e362049a6d9e9fea0c66", "event_fingerprint": "a08ba4871908f1046e622205bf3ebd59138937a3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0d085d781fdc301aec97e1dcd81b2852", "payload_hash": "c97d84c904428110777a900576e91fe1", "path_pattern_hash": "42f6207a734c8447ca0a471ac752ed62" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/appsettings.Development.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "method": "GET", "path": "\/appsettings.Development.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.7 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.Development.json HTTP\/1.1", "request_sample": "GET \/appsettings.Development.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.7 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/appsettings.Development.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "evidence": { "method": "GET", "path": "\/appsettings.Development.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.7 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.Development.json HTTP\/1.1", "request_sample": "GET \/appsettings.Development.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.7 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/appsettings.Development.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "760e335990f874d4144d4bcadd6b55d8fe989a7d", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��EH 'o3a��j��T��\,��>��]E �N8��>m��Ѝ8��mXkM,d p�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��EH 'o3a��j��T��\,��>��]E �N8��>m��Ѝ8��mXkM,d p�&�+�/�,�0̨̩� �� /5� w �+3&$ ��Yp�f��#v^ŋ��!�5�Gx�Ih)� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.823678625569858, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "048654eab565a473519b03692a2ec5d7", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003EH\n'o\u00163a\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffdT\ufffd\u0017\u000e\ufffd\ufffd\ufffd\\,\ufffd\ufffd>\ufffd\ufffd\u0014]E \ufffdN8\ufffd\u0016\ufffd\u0014\ufffd>m\ufffd\ufffd\ufffd\u040d8\ufffd\ufffd\ufffd\ufffd\ufffdmXk\u001cM\u0012,d\rp\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003EH\n'o\u00163a\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffdT\ufffd\u0017\u000e\ufffd\ufffd\ufffd\\,\ufffd\ufffd>\ufffd\ufffd\u0014]E \ufffdN8\ufffd\u0016\ufffd\u0014\ufffd>m\ufffd\ufffd\ufffd\u040d8\ufffd\ufffd\ufffd\ufffd\ufffdmXk\u001cM\u0012,d\rp\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdYp\ufffd\u0001\u0000f\ufffd\ufffd#v^\u014b\ufffd\ufffd\ufffd!\ufffd\u00025\ufffdGx\ufffd\u0001Ih)\ufffd\u0011", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003EH\n'o\u00163a\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffdT\ufffd\u0017\u000e\ufffd\ufffd\ufffd\\,\ufffd\ufffd>\ufffd\ufffd\u0014]E \ufffdN8\ufffd\u0016\ufffd\u0014\ufffd>m\ufffd\ufffd\ufffd\u040d8\ufffd\ufffd\ufffd\ufffd\ufffdmXk\u001cM\u0012,d\rp\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003EH\n'o\u00163a\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffdT\ufffd\u0017\u000e\ufffd\ufffd\ufffd\\,\ufffd\ufffd>\ufffd\ufffd\u0014]E \ufffdN8\ufffd\u0016\ufffd\u0014\ufffd>m\ufffd\ufffd\ufffd\u040d8\ufffd\ufffd\ufffd\ufffd\ufffdmXk\u001cM\u0012,d\rp\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdYp\ufffd\u0001\u0000f\ufffd\ufffd#v^\u014b\ufffd\ufffd\ufffd!\ufffd\u00025\ufffdGx\ufffd\u0001Ih)\ufffd\u0011", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003EH\n'o\u00163a\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffdT\ufffd\u0017\u000e\ufffd\ufffd\ufffd\\,\ufffd\ufffd>\ufffd\ufffd\u0014]E \ufffdN8\ufffd\u0016\ufffd\u0014\ufffd>m\ufffd\ufffd\ufffd\u040d8\ufffd\ufffd\ufffd\ufffd\ufffdmXk\u001cM\u0012,d\rp\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c6bbf10af7853a1b6a46d274b0dfedcee584d536", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��¸wd)Cy]��C�R��ػ��8�� z&��-7o?١:;��g�l��{��~+�#�v&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��¸wd)Cy]��C�R��ػ��8�� z&��-7o?١:;��g�l��{��~+�#�v&�+�/�,�0̨̩� �� /5� w �+3&$ ٮ��e1s��2�TIr�-��l� �K�2 Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.836247344025244, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "e75c82f0622d1bd2bd3c9effacb790a0", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u00b8wd)Cy]\ufffd\ufffd\u0002\ufffd\ufffdC\ufffdR\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\ufffd\u0001\u063b\ufffd\ufffd8\ufffd\ufffd \ufffdz&\ufffd\ufffd\ufffd-7o?\u0661:;\ufffd\ufffdg\ufffdl\ufffd\u0002\ufffd{\ufffd\ufffd~+\ufffd#\ufffdv\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u00b8wd)Cy]\ufffd\ufffd\u0002\ufffd\ufffdC\ufffdR\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\ufffd\u0001\u063b\ufffd\ufffd8\ufffd\ufffd \ufffdz&\ufffd\ufffd\ufffd-7o?\u0661:;\ufffd\ufffdg\ufffdl\ufffd\u0002\ufffd{\ufffd\ufffd~+\ufffd#\ufffdv\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u066e\ufffd\ufffd\ufffd\ufffde1s\u0007\u0019\ufffd\ufffd2\ufffdTIr\ufffd-\ufffd\u0014\ufffd\ufffdl\u001e\ufffd \ufffdK\ufffd2", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u00b8wd)Cy]\ufffd\ufffd\u0002\ufffd\ufffdC\ufffdR\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\ufffd\u0001\u063b\ufffd\ufffd8\ufffd\ufffd \ufffdz&\ufffd\ufffd\ufffd-7o?\u0661:;\ufffd\ufffdg\ufffdl\ufffd\u0002\ufffd{\ufffd\ufffd~+\ufffd#\ufffdv\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u00b8wd)Cy]\ufffd\ufffd\u0002\ufffd\ufffdC\ufffdR\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\ufffd\u0001\u063b\ufffd\ufffd8\ufffd\ufffd \ufffdz&\ufffd\ufffd\ufffd-7o?\u0661:;\ufffd\ufffdg\ufffdl\ufffd\u0002\ufffd{\ufffd\ufffd~+\ufffd#\ufffdv\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u066e\ufffd\ufffd\ufffd\ufffde1s\u0007\u0019\ufffd\ufffd2\ufffdTIr\ufffd-\ufffd\u0014\ufffd\ufffdl\u001e\ufffd \ufffdK\ufffd2", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u00b8wd)Cy]\ufffd\ufffd\u0002\ufffd\ufffdC\ufffdR\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\ufffd\u0001\u063b\ufffd\ufffd8\ufffd\ufffd \ufffdz&\ufffd\ufffd\ufffd-7o?\u0661:;\ufffd\ufffdg\ufffdl\ufffd\u0002\ufffd{\ufffd\ufffd~+\ufffd#\ufffdv\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8e5272a73221e753284075fd0f8a33fe3836b016", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��)�\|��U�v��01� ��r˩.��և �ͩ��ha#�]2��:v�P��H�V��6H\�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��)�\|��U�v��01� ��r˩.��և �ͩ��ha#�]2��:v�P��H� V��6H\�&�+�/�,�0̨̩� �� /5� w �+3&$ �Jx��b/ ��2^R��JP0�M��\|�ą��v Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.853069514123266, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "4593c88ec1ecaf848e584d7f7016be88", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)\ufffd\|\u0013\ufffd\ufffdU\ufffdv\ufffd\ufffd0\u000e1\ufffd\t\u0007\u0017\ufffd\u0010\ufffd\u000fr\u02e9.\ufffd\u0003\u001e\ufffd\u0587 \ufffd\u0369\ufffd\ufffdha#\ufffd]2\ufffd\ufffd:v\ufffdP\ufffd\u0012\u001f\ufffdH\ufffd\fV\ufffd\ufffd\ufffd6H\\\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)\ufffd\|\u0013\ufffd\ufffdU\ufffdv\ufffd\ufffd0\u000e1\ufffd\t\u0007\u0017\ufffd\u0010\ufffd\u000fr\u02e9.\ufffd\u0003\u001e\ufffd\u0587 \ufffd\u0369\ufffd\ufffdha#\ufffd]2\ufffd\ufffd:v\ufffdP\ufffd\u0012\u001f\ufffdH\ufffd\fV\ufffd\ufffd\ufffd6H\\\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdJx\ufffd\ufffdb\/\u001f\f\ufffd\ufffd2^R\ufffd\ufffdJP0\ufffdM\ufffd\ufffd\|\ufffd\u0105\ufffd\ufffd\ufffd\ufffdv", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)\ufffd\|\u0013\ufffd\ufffdU\ufffdv\ufffd\ufffd0\u000e1\ufffd\t\u0007\u0017\ufffd\u0010\ufffd\u000fr\u02e9.\ufffd\u0003\u001e\ufffd\u0587 \ufffd\u0369\ufffd\ufffdha#\ufffd]2\ufffd\ufffd:v\ufffdP\ufffd\u0012\u001f\ufffdH\ufffd\fV\ufffd\ufffd\ufffd6H\\\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)\ufffd\|\u0013\ufffd\ufffdU\ufffdv\ufffd\ufffd0\u000e1\ufffd\t\u0007\u0017\ufffd\u0010\ufffd\u000fr\u02e9.\ufffd\u0003\u001e\ufffd\u0587 \ufffd\u0369\ufffd\ufffdha#\ufffd]2\ufffd\ufffd:v\ufffdP\ufffd\u0012\u001f\ufffdH\ufffd\fV\ufffd\ufffd\ufffd6H\\\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdJx\ufffd\ufffdb\/\u001f\f\ufffd\ufffd2^R\ufffd\ufffdJP0\ufffdM\ufffd\ufffd\|\ufffd\u0105\ufffd\ufffd\ufffd\ufffdv", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)\ufffd\|\u0013\ufffd\ufffdU\ufffdv\ufffd\ufffd0\u000e1\ufffd\t\u0007\u0017\ufffd\u0010\ufffd\u000fr\u02e9.\ufffd\u0003\u001e\ufffd\u0587 \ufffd\u0369\ufffd\ufffdha#\ufffd]2\ufffd\ufffd:v\ufffdP\ufffd\u0012\u001f\ufffdH\ufffd\fV\ufffd\ufffd\ufffd6H\\\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9bef75207e83c5841eaf90d1f4d9e6e53488eb77", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��g�`�W3lw��!45�c��{�3��9 ��[�R��~�?1��ܼ�\?��L�Ƽ>��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��g�`�W3lw��!45�c��{�3��9 ��[�R��~�?1��ܼ�\?��L�Ƽ>��&�+�/�,�0̨̩� �� /5� w �+3&$ �و�eÝv��#W>�nlR�t�S޳��+6 Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.84730942884028, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "f5640bb2a4d3417514593a2fd936ed77", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000f\u0007\ufffd\ufffd\ufffdg\ufffd`\ufffdW3lw\ufffd\ufffd!\u001945\ufffdc\ufffd\u0015\ufffd\u0018{\ufffd3\ufffd\ufffd9 \ufffd\ufffd[\ufffdR\ufffd\ufffd~\ufffd\u0003?1\ufffd\ufffd\u073c\ufffd\\\u0001?\ufffd\ufffd\ufffd\u0017L\ufffd\u01bc>\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000f\u0007\ufffd\ufffd\ufffdg\ufffd`\ufffdW3lw\ufffd\ufffd!\u001945\ufffdc\ufffd\u0015\ufffd\u0018{\ufffd3\ufffd\ufffd9 \ufffd\ufffd[\ufffdR\ufffd\ufffd~\ufffd\u0003?1\ufffd\ufffd\u073c\ufffd\\\u0001?\ufffd\ufffd\ufffd\u0017L\ufffd\u01bc>\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0648\ufffde\b\u00ddv\u000e\ufffd\ufffd#W>\ufffdnlR\ufffdt\ufffdS\u07b3\ufffd\ufffd\ufffd+6\u0007", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000f\u0007\ufffd\ufffd\ufffdg\ufffd`\ufffdW3lw\ufffd\ufffd!\u001945\ufffdc\ufffd\u0015\ufffd\u0018{\ufffd3\ufffd\ufffd9 \ufffd\ufffd[\ufffdR\ufffd\ufffd~\ufffd\u0003?1\ufffd\ufffd\u073c\ufffd\\\u0001?\ufffd\ufffd\ufffd\u0017L\ufffd\u01bc>\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000f\u0007\ufffd\ufffd\ufffdg\ufffd`\ufffdW3lw\ufffd\ufffd!\u001945\ufffdc\ufffd\u0015\ufffd\u0018{\ufffd3\ufffd\ufffd9 \ufffd\ufffd[\ufffdR\ufffd\ufffd~\ufffd\u0003?1\ufffd\ufffd\u073c\ufffd\\\u0001?\ufffd\ufffd\ufffd\u0017L\ufffd\u01bc>\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0648\ufffd*e\b\u00ddv\u000e\ufffd\ufffd#W>\ufffdnlR\ufffdt\ufffdS\u07b3\ufffd\ufffd\ufffd+6\u0007", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000f\u0007\ufffd\ufffd\ufffdg\ufffd`\ufffdW3lw\ufffd\ufffd!\u001945\ufffdc\ufffd\u0015\ufffd\u0018{\ufffd3\ufffd\ufffd9 \ufffd\ufffd[\ufffdR\ufffd\ufffd~\ufffd\u0003?1\ufffd\ufffd\u073c\ufffd\\\u0001?\ufffd\ufffd\ufffd\u0017L\ufffd\u01bc>\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "49d776bbd390eaf91d67278e3027658183335f04", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��$hGJfs��ք�bgvඓ�X�B9�8 ��h6�e��m#h]��_��"�Yd>�[c�74Ff&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��$hGJfs�� ք�bgvඓ�X�B9�8 ��h6�e��m#h]��_��"�Yd>�[c�74Ff&�+�/�,�0̨̩� �� /5� w �+3&$ Wid�6z��t7R Bb�GL)�f��) Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.868491086516434, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "c3b4e7e44f947049763dac232eeb6658", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003$hGJfs\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\u0584\ufffd\u000ebgv\u0d93\ufffdX\ufffdB9\ufffd8 \ufffd\ufffdh6\ufffde\ufffd\ufffdm#h]\ufffd\ufffd\ufffd_\ufffd\ufffd\"\ufffdYd>\ufffd[c\ufffd74Ff\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003$hGJfs\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\u0584\ufffd\u000ebgv\u0d93\ufffdX\ufffdB9\ufffd8 \ufffd\ufffdh6\ufffde\ufffd\ufffdm#h]\ufffd\ufffd\ufffd_\ufffd\ufffd\"\ufffdYd>\ufffd[c\ufffd74Ff\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0014Wid\ufffd6z\ufffd\ufffd\ufffd\ufffd\ufffdt7R\tBb\ufffd\u0002GL\u0006)\ufffdf\ufffd\ufffd)\u0013", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003$hGJfs\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\u0584\ufffd\u000ebgv\u0d93\ufffdX\ufffdB9\ufffd8 \ufffd\ufffdh6\ufffde\ufffd\ufffdm#h]\ufffd\ufffd\ufffd_\ufffd\ufffd\"\ufffdYd>\ufffd[c\ufffd74Ff\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003$hGJfs\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\u0584\ufffd\u000ebgv\u0d93\ufffdX\ufffdB9\ufffd8 \ufffd\ufffdh6\ufffde\ufffd\ufffdm#h]\ufffd\ufffd\ufffd_\ufffd\ufffd\"\ufffdYd>\ufffd[c\ufffd74Ff\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0014Wid\ufffd6z\ufffd\ufffd\ufffd\ufffd\ufffdt7R\tBb\ufffd\u0002GL\u0006)\ufffdf\ufffd\ufffd)\u0013", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003$hGJfs\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\u0584\ufffd\u000ebgv\u0d93\ufffdX\ufffdB9\ufffd8 \ufffd\ufffdh6\ufffde\ufffd\ufffdm#h]\ufffd\ufffd\ufffd_\ufffd\ufffd\"\ufffdYd*>\ufffd[c\ufffd74Ff\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f769ed62ba87ad54ef750c27bffd7d3aee63343e", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Injection SQL	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 20 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /parameters.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /parameters.yml Pourquoi cette classification : Injection SQL (tag sqli-21) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /parameters.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.1.1; 1607-A01 Build/NMF26F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MMWEBID/2867 Micro… Règles WAF sqli-21 rce-0 nosqli-3 Payload (extrait) GET /parameters.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; 1607-A01 Build/NMF26F; wv) A Requête brute (extrait) GET /parameters.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; 1607-A01 Build/NMF26F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MMWEBID/28 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "67dcbcdcdd0c4e7afb7c713349a6bcc66acc6a39", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "b85297805f4a1660bc0516b82d09c9064617a85f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 407, "payload_entropy": 5.554706941660029, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 88, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 88, "classification": 82, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 66, "tag_count": 4, "anomaly_count": 0, "campaign_key": "910a83c232866ba25b3ea4f22b22b696d41f14c0", "event_fingerprint": "b3fb9e062c5cd94e5cf84d79176125a2b226d14f", "classification_reason": "Injection SQL (tag sqli-21) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 223, "precision_signals": [ "CRS-941100", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "CRS-941100", "INT-upstream", "INT-waf-score" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8dbb105922a5e1a254eb9fff2d71aa4f", "payload_hash": "4f235c840182026a9e592b1edf7059ce", "path_pattern_hash": "1e232f78d9abb7f2c06811728fdfcb5d" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; 1607-A01 Build\/NMF26F; wv) A", "method": "GET", "path": "\/parameters.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; 1607-A01 Build\/NMF26F; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/2867 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetType\/W\u2026", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/parameters.yml HTTP\/1.1", "request_sample": "GET \/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; 1607-A01 Build\/NMF26F; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/28", "payload_snippet": "GET \/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; 1607-A01 Build\/NMF26F; wv) A", "evidence": { "method": "GET", "path": "\/parameters.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; 1607-A01 Build\/NMF26F; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/2867 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetType\/W\u2026", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/parameters.yml HTTP\/1.1", "request_sample": "GET \/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; 1607-A01 Build\/NMF26F; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/28", "payload_snippet": "GET \/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; 1607-A01 Build\/NMF26F; wv) A", "classification_reason": "Injection SQL (tag sqli-21) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2032969482e6c75569aa0c74f30529746e098c71", "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��q^S~i:o��ɞנR�a2Sz�E�F�� E ��}. 6�=��,72"Y�roK;�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��q^S~i:o��ɞנR�a2Sz�E�F�� E �� }. 6�=��,72"Y�roK;�&�+�/�,�0̨̩� �� /5� w �+3&$ �̣s��,af��4CH��\R��dT��V Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.89853368455646, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "322697bfc64bde5b317848f9a4c1fa94", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003q^S~i:o\ufffd\ufffd\u025e\u05e0R\ufffda2\u0011\u001b\u0010Sz\ufffdE\ufffdF\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\u0016E\t\u0019\ufffd\ufffd\f}.\n6\ufffd\u000f=\ufffd\ufffd,72\u0002\"Y\ufffdro\u001fK;\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003q^S~i:o\ufffd\ufffd\u025e\u05e0R\ufffda2\u0011\u001b\u0010Sz\ufffdE\ufffdF\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\u0016E\t\u0019\ufffd\ufffd\f}.\n6\ufffd\u000f=\ufffd\ufffd,72\u0002\"Y\ufffdro\u001fK;\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0323s\ufffd\ufffd,a\bf\ufffd\ufffd\ufffd\ufffd4CH\ufffd\ufffd\\R\u0013\ufffd\ufffd\ufffddT\ufffd\ufffd\ufffdV\u0017", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003q^S~i:o\ufffd\ufffd\u025e\u05e0R\ufffda2\u0011\u001b\u0010Sz\ufffdE\ufffdF\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\u0016E\t\u0019\ufffd\ufffd\f}.\n6\ufffd\u000f=\ufffd\ufffd,72\u0002\"Y\ufffdro\u001fK;\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003q^S~i:o\ufffd\ufffd\u025e\u05e0R\ufffda2\u0011\u001b\u0010Sz\ufffdE\ufffdF\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\u0016E\t\u0019\ufffd\ufffd\f}.\n6\ufffd\u000f=\ufffd\ufffd,72\u0002\"Y\ufffdro\u001fK;\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0323s\ufffd\ufffd,a\bf\ufffd\ufffd\ufffd\ufffd4CH\ufffd\ufffd\\R\u0013\ufffd\ufffd\ufffddT\ufffd\ufffd\ufffdV\u0017", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003q^S~i:o\ufffd\ufffd\u025e\u05e0R\ufffda2\u0011\u001b\u0010Sz\ufffdE\ufffdF\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\u0016E\t\u0019\ufffd\ufffd\f}.\n6\ufffd\u000f=\ufffd\ufffd,72\u0002\"Y\ufffdro\u001fK;\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "946776e4688cfc1d4d8a8a2e816679c6f47cd2e4", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /parameters.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /parameters.yaml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /parameters.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.78.1 (KHTML like Gecko) Version/7.0.6 Safari/537.78.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /parameters.yaml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537 Requête brute (extrait) GET /parameters.yaml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.78.1 (KHTML like Gecko) Version/7.0.6 Safari/537.78.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "1e62b8de0a048d51eb2bcb4b1725402f99d7922e", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "95756296d683ee74665812bc6016d439dcda6d9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.371448965395119, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "899eee33290db54b7be0e362049a6d9e9fea0c66", "event_fingerprint": "fd74cd47967b3d68a455f43ef07f28c572e9412f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fb5e35146ac47aeda49a47d2803f65a3", "payload_hash": "51c59884c3a33fbd517b26298617c548", "path_pattern_hash": "cc07af73f4f98af6d4122b31309fa57c" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537", "method": "GET", "path": "\/parameters.yaml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.78.1 (KHTML like Gecko) Version\/7.0.6 Safari\/537.78.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/parameters.yaml HTTP\/1.1", "request_sample": "GET \/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.78.1 (KHTML like Gecko) Version\/7.0.6 Safari\/537.78.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/parameters.yaml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.78.1 (KHTML like Gecko) Version\/7.0.6 Safari\/537.78.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/parameters.yaml HTTP\/1.1", "request_sample": "GET \/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.78.1 (KHTML like Gecko) Version\/7.0.6 Safari\/537.78.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "62fb9abdd5f72d8717cbeed1ea5d823dd1353a43", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��G��s �_�?~`�Aޫ�w��L\ �Zx,j.�W��\|(R-��EeE��^&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��G�� s �_�?~`�Aޫ�w��L\ �Zx,j.�W��\|(R-��EeE��^&�+�/�,�0̨̩� �� /5� w �+3&$ �IpF2G��ģ�wr�)XB�Ѱi��R\| Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.783316049065, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "9e45305876a4684381b35817d57827cd", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001b\b\ufffdG\ufffd\ufffd\f\ufffds\u000f\r\ufffd\u0012_\ufffd?\u000f~`\ufffdA\u07ab\ufffdw\u0004\ufffd\ufffd\ufffdL\\ \ufffdZx,\u0003j.\u001b\ufffd\u0001\u001eW\ufffd\ufffd\ufffd\ufffd\ufffd\|(R-\ufffd\u0000\ufffd\u0015EeE\ufffd\ufffd^\u0006\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001b\b\ufffdG\ufffd\ufffd\f\ufffds\u000f\r\ufffd\u0012_\ufffd?\u000f~`\ufffdA\u07ab\ufffdw\u0004\ufffd\ufffd\ufffdL\\ \ufffdZx,\u0003j.\u001b\ufffd\u0001\u001eW\ufffd\ufffd\ufffd\ufffd\ufffd\|(R-\ufffd\u0000\ufffd\u0015EeE\ufffd\ufffd^\u0006\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdIpF2\u0007G\ufffd\ufffd\u0123\ufffdwr\u001d\u0013\ufffd)XB\ufffd\u0470i\ufffd\ufffd\ufffd\ufffd\u0001R\|", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001b\b\ufffdG\ufffd\ufffd\f\ufffds\u000f\r\ufffd\u0012_\ufffd?\u000f~`\ufffdA\u07ab\ufffdw\u0004\ufffd\ufffd\ufffdL\\ \ufffdZx,\u0003j.\u001b\ufffd\u0001\u001eW\ufffd\ufffd\ufffd\ufffd\ufffd\|(R-\ufffd\u0000\ufffd\u0015EeE\ufffd\ufffd^\u0006\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001b\b\ufffdG\ufffd\ufffd\f\ufffds\u000f\r\ufffd\u0012_\ufffd?\u000f~`\ufffdA\u07ab\ufffdw\u0004\ufffd\ufffd\ufffdL\\ \ufffdZx,\u0003j.\u001b\ufffd\u0001\u001eW\ufffd\ufffd\ufffd\ufffd\ufffd\|(R-\ufffd\u0000\ufffd\u0015EeE\ufffd\ufffd^\u0006\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdIpF2\u0007G\ufffd\ufffd\u0123\ufffdwr\u001d\u0013\ufffd)XB\ufffd\u0470i\ufffd\ufffd\ufffd\ufffd\u0001R\|", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001b\b\ufffdG\ufffd\ufffd\f\ufffds\u000f\r\ufffd\u0012_\ufffd?\u000f~`\ufffdA\u07ab\ufffdw\u0004\ufffd\ufffd\ufffdL\\ \ufffdZx,\u0003j.\u001b\ufffd\u0001\u001eW\ufffd\ufffd\ufffd\ufffd\ufffd\|(R-\ufffd\u0000\ufffd\u0015EeE\ufffd\ufffd^\u0006\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7f9f081f2eec1e39cb4bf4d1d6ea1ab20efb4fd3", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��=;X�~�)_�y�X!ǜ��n��TQ�Uh� L1UG�h�u4�5�^ֽh��b;��4L�5�^&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��=;X�~�)_�y�X!ǜ��n��TQ�Uh� L1UG�h�u4�5�^ֽh��b;��4L�5�^&�+�/�,�0̨̩� �� /5� w �+3&$ ��`�2prn.'~�r�� W�(<>��zt-c Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.882440016251524, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "e37828f09659d1cb0208d44a89c49d7e", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=;X\ufffd~\ufffd)_\u001d\ufffdy\ufffdX!\u000f\u01dc\ufffd\u0007\ufffdn\ufffd\ufffdTQ\u001c\ufffdUh\ufffd L1UG\ufffdh\ufffdu4\ufffd5\ufffd^\u05bdh\ufffd\ufffdb;\ufffd\u0006\ufffd\ufffd4\u0003L\u001e\ufffd5\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=;X\ufffd~\ufffd)_\u001d\ufffdy\ufffdX!\u000f\u01dc\ufffd\u0007\ufffdn\ufffd\ufffdTQ\u001c\ufffdUh\ufffd L1UG\ufffdh\ufffdu4\ufffd5\ufffd^\u05bdh\ufffd\ufffdb;\ufffd\u0006\ufffd\ufffd4\u0003L\u001e\ufffd5\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd`\ufffd2prn.'~\ufffdr\ufffd\ufffd\u0013\u0014\fW\ufffd(<>\ufffd\ufffdz\u001bt-c", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=;X\ufffd~\ufffd)_\u001d\ufffdy\ufffdX!\u000f\u01dc\ufffd\u0007\ufffdn\ufffd\ufffdTQ\u001c\ufffdUh\ufffd L1UG\ufffdh\ufffdu4\ufffd5\ufffd^\u05bdh\ufffd\ufffdb;\ufffd\u0006\ufffd\ufffd4\u0003L\u001e\ufffd5\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=;X\ufffd~\ufffd)_\u001d\ufffdy\ufffdX!\u000f\u01dc\ufffd\u0007\ufffdn\ufffd\ufffdTQ\u001c\ufffdUh\ufffd L1UG\ufffdh\ufffdu4\ufffd5\ufffd^\u05bdh\ufffd\ufffdb;\ufffd\u0006\ufffd\ufffd4\u0003L\u001e\ufffd5\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd`\ufffd2prn.'~\ufffdr\ufffd\ufffd\u0013\u0014\fW\ufffd(<>\ufffd\ufffdz\u001bt-c", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=;X\ufffd~\ufffd)_\u001d\ufffdy\ufffdX!\u000f\u01dc\ufffd\u0007\ufffdn\ufffd\ufffdTQ\u001c\ufffdU*h\ufffd L1UG\ufffdh\ufffdu4\ufffd5\ufffd^\u05bdh\ufffd\ufffdb;\ufffd\u0006\ufffd\ufffd4\u0003L\u001e\ufffd5\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "26464e7421acff778bd1180f195b3ada02d3e9a9", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��ڣ��fR��t��Mi��r�M��?� R��z��hCЫZ%<�0V�o��E)&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��ڣ��fR��t��Mi��r�M��?� R��z��hCЫZ%<�0V�o��E)&�+�/�,�0̨̩� �� /5� w �+3&$ Vӕĥ}�Ƙ��?�]�T�+�� ;�� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.830201973991537, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "abab92516bf898cadf96ac0df9046ed1", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\u0018\u06a3\ufffd\ufffd\ufffdfR\ufffd\ufffd\ufffdt\ufffd\u0017\ufffd\ufffd\ufffdMi\ufffd\ufffdr\ufffd\u000eM\ufffd\ufffd?\u001d\ufffd \u000eR\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffdhC\u042bZ%<\ufffd\b\u00110V\ufffdo\ufffd\ufffdE)\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\u0018\u06a3\ufffd\ufffd\ufffdfR\ufffd\ufffd\ufffdt\ufffd\u0017\ufffd\ufffd\ufffdMi\ufffd\ufffdr\ufffd\u000eM\ufffd\ufffd?\u001d\ufffd \u000eR\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffdhC\u042bZ%<\ufffd\b\u00110V\ufffdo\ufffd\ufffdE)\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 V\u04d5\u0125}\u0013\ufffd\u0198\ufffd\ufffd?\ufffd]\ufffdT\u000e\ufffd+\ufffd\u0012\ufffd\ufffd\t\ufffd;\ufffd\ufffd\u0010", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\u0018\u06a3\ufffd\ufffd\ufffdfR\ufffd\ufffd\ufffdt\ufffd\u0017\ufffd\ufffd\ufffdMi\ufffd\ufffdr\ufffd\u000eM\ufffd\ufffd?\u001d\ufffd \u000eR\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffdhC\u042bZ%<\ufffd\b\u00110V\ufffdo\ufffd\ufffdE)\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\u0018\u06a3\ufffd\ufffd\ufffdfR\ufffd\ufffd\ufffdt\ufffd\u0017\ufffd\ufffd\ufffdMi\ufffd\ufffdr\ufffd\u000eM\ufffd\ufffd?\u001d\ufffd \u000eR\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffdhC\u042bZ%<\ufffd\b\u00110V\ufffdo\ufffd\ufffdE)\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 V\u04d5\u0125}\u0013\ufffd\u0198\ufffd\ufffd?\ufffd]\ufffdT\u000e\ufffd+\ufffd\u0012\ufffd\ufffd\t\ufffd;\ufffd\ufffd\u0010", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\u0018\u06a3\ufffd\ufffd\ufffdfR\ufffd\ufffd\ufffdt\ufffd\u0017\ufffd\ufffd\ufffdMi\ufffd\ufffdr\ufffd\u000eM\ufffd\ufffd?\u001d\ufffd \u000eR\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffdhC\u042bZ%<\ufffd\b\u00110V\ufffdo\ufffd\ufffdE)\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a61af5406730c46463eec0e7901a7b07ba971eb3", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /parameters.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /parameters.php Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /parameters.php HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; SM-G955F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /parameters.php HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G955F) AppleWebKit/537.36 Requête brute (extrait) GET /parameters.php HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G955F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "91011ba10d3f1b5c712782ae1c5de7afc5dd8139", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "286be570ea447b8792eae3fc44fdaf3699668e04", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.396054416904654, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "899eee33290db54b7be0e362049a6d9e9fea0c66", "event_fingerprint": "9dfc7b791633320c06c8a81a517f0506bc2cb348", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f719d5663f350950f82094e81e308c3f", "payload_hash": "faaa77cf181f9fe769cb7aa03bd670e9", "path_pattern_hash": "b7b2f31048e2b1169a73a940e673c13a" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/parameters.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G955F) AppleWebKit\/537.36", "method": "GET", "path": "\/parameters.php", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G955F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/parameters.php HTTP\/1.1", "request_sample": "GET \/parameters.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G955F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/parameters.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G955F) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/parameters.php", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G955F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/parameters.php HTTP\/1.1", "request_sample": "GET \/parameters.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G955F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/parameters.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G955F) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d7b6e32a77827a652385a50ebdd24410b234d1e4", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��%t S2 �� [[��!q�!;e��s� ݀Gy~uN��l�ܿ��8"��l7&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��%t S2 �� [[��!q�!;e��s� ݀Gy~uN��l�ܿ��8"��l7&�+�/�,�0̨̩� �� /5� w �+3&$ @/�8�HЯ� ��㌼�Ǜ)S��p��j Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.795363115540928, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "cbd89a108a0cfbed5f532865716dfead", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001b\ufffd%t\tS2\t\ufffd\ufffd\ufffd\u0004\t[[\u001a\ufffd\ufffd!q\ufffd!;\u0017e\u0002\ufffd\ufffd\ufffds\ufffd \u0740Gy~\u001cuN\ufffd\u0005\ufffd\ufffd\u0016\ufffd\ufffd\u0012l\u0012\ufffd\u073f\ufffd\ufffd8\u001c\"\ufffd\ufffdl7\u0011\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001b\ufffd%t\tS2\t\ufffd\ufffd\ufffd\u0004\t[[\u001a\ufffd\ufffd!q\ufffd!;\u0017e\u0002\ufffd\ufffd\ufffds\ufffd \u0740Gy~\u001cuN\ufffd\u0005\ufffd\ufffd\u0016\ufffd\ufffd\u0012l\u0012\ufffd\u073f\ufffd\ufffd8\u001c\"\ufffd\ufffdl7\u0011\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 @\/\ufffd8\ufffdH\u042f\ufffd\r\ufffd\ufffd\ufffd\u0003\u333c\ufffd\u01db)S\ufffd\ufffd\ufffd\ufffdp\ufffd\ufffd\ufffdj", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001b\ufffd%t\tS2\t\ufffd\ufffd\ufffd\u0004\t[[\u001a\ufffd\ufffd!q\ufffd!;\u0017e\u0002\ufffd\ufffd\ufffds\ufffd \u0740Gy~\u001cuN\ufffd\u0005\ufffd\ufffd\u0016\ufffd\ufffd\u0012l\u0012\ufffd\u073f\ufffd\ufffd8\u001c\"\ufffd\ufffdl7\u0011\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001b\ufffd%t\tS2\t\ufffd\ufffd\ufffd\u0004\t[[\u001a\ufffd\ufffd!q\ufffd!;\u0017e\u0002\ufffd\ufffd\ufffds\ufffd \u0740Gy~\u001cuN\ufffd\u0005\ufffd\ufffd\u0016\ufffd\ufffd\u0012l\u0012\ufffd\u073f\ufffd\ufffd8\u001c\"\ufffd\ufffdl7\u0011\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 @\/\ufffd8\ufffdH\u042f\ufffd\r\ufffd\ufffd\ufffd\u0003\u333c\ufffd\u01db)S\ufffd\ufffd\ufffd\ufffdp\ufffd\ufffd\ufffdj", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001b\ufffd%t\tS2\t\ufffd\ufffd\ufffd\u0004\t[[\u001a\ufffd\ufffd!q\ufffd!;\u0017e\u0002\ufffd\ufffd\ufffds\ufffd \u0740Gy~\u001cuN\ufffd\u0005\ufffd\ufffd\u0016\ufffd\ufffd\u0012l\u0012\ufffd\u073f\ufffd\ufffd8\u001c\"\ufffd\ufffdl7\u0011\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9d247a0cc5caf6a133517edcd8a9391bc85c6231", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��%��W7FX��BV��-�PH��< ��b��}��W�ݓ0bhfm�^�24��Mɮ�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��%�� W7FX��BV��-�PH��< ��b��}��W�ݓ0bhfm�^�24��Mɮ�&�+�/�,�0̨̩� �� /5� w �+3&$ } ��n2ՋP�(Ū�1�>�B?�\�i Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.84123924053873, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "b80eac24dc493955dba457ba3b46e48f", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd%\ufffd\ufffd\f\ufffdW\u001b7FX\ufffd\u001e\u001e\ufffdB\bV\ufffd\ufffd-\ufffdPH\ufffd\ufffd\u001b\u0014< \ufffd\ufffdb\ufffd\ufffd}\ufffd\ufffd\ufffdW\ufffd\u07530bhfm\ufffd^\u0017\ufffd24\ufffd\u0000\ufffdM\u026e\ufffd\u0010\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd%\ufffd\ufffd\f\ufffdW\u001b7FX\ufffd\u001e\u001e\ufffdB\bV\ufffd\ufffd-\ufffdPH\ufffd\ufffd\u001b\u0014< \ufffd\ufffdb\ufffd\ufffd}\ufffd\ufffd\ufffdW\ufffd\u07530bhfm\ufffd^\u0017\ufffd24\ufffd\u0000\ufffdM\u026e\ufffd\u0010\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 }\u000b\ufffd\u0005\ufffdn2\u0001\u054bP\ufffd\u0007(\u016a\ufffd1\ufffd>\u0014\u0001\ufffd\u0018B?\ufffd\u0006\\\ufffdi", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd%\ufffd\ufffd\f\ufffdW\u001b7FX\ufffd\u001e\u001e\ufffdB\bV\ufffd\ufffd-\ufffdPH\ufffd\ufffd\u001b\u0014< \ufffd\ufffdb\ufffd\ufffd}\ufffd\ufffd\ufffdW\ufffd\u07530bhfm\ufffd^\u0017\ufffd24\ufffd\u0000\ufffdM\u026e\ufffd\u0010\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd%\ufffd\ufffd\f\ufffdW\u001b7FX\ufffd\u001e\u001e\ufffdB\bV\ufffd\ufffd-\ufffdPH\ufffd\ufffd\u001b\u0014< \ufffd\ufffdb\ufffd\ufffd}\ufffd\ufffd\ufffdW\ufffd\u07530bhfm\ufffd^\u0017\ufffd24\ufffd\u0000\ufffdM\u026e\ufffd\u0010\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 }\u000b\ufffd\u0005\ufffdn2\u0001\u054bP\ufffd\u0007(\u016a\ufffd1\ufffd>\u0014\u0001\ufffd\u0018B?\ufffd\u0006\\\ufffdi", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd%\ufffd\ufffd\f\ufffdW\u001b7FX\ufffd\u001e\u001e\ufffdB*\bV\ufffd\ufffd-\ufffdPH\ufffd\ufffd\u001b\u0014< \ufffd\ufffdb\ufffd\ufffd}\ufffd\ufffd\ufffdW\ufffd\u07530bhfm\ufffd^\u0017\ufffd24\ufffd\u0000\ufffdM\u026e\ufffd\u0010\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0e88591c4b8febe99500303b859d9f48d91e67a2", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��>=~�:� !��R��=V5w�~�� x53 ��r S��%��v��ge> �Y&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��>=~�: � !��R��=V5w�~�� x53 ��r S��%� ��v��ge> �Y&�+�/�,�0̨̩� �� /5� w �+3&$ &��'z�Q�)�ҭ�Kz#0��ND��$ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.758979452537986, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "5ca737a160c4550807c99f4b4956dff9", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>=~\u0000\ufffd:\u0011\u000b\ufffd\r!\ufffd\ufffd\u0019R\ufffd\u0004\ufffd=V\u001d5w\ufffd~\ufffd\u0014\ufffd\nx53 \u0017\ufffd\ufffdr\nS\ufffd\ufffd\ufffd\b\u0003\ufffd\ufffd\ufffd%\ufffd\u000b\ufffd\ufffdv\ufffd\ufffdge>\r\ufffdY\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>=~\u0000\ufffd:\u0011\u000b\ufffd\r!\ufffd\ufffd\u0019R\ufffd\u0004\ufffd=V\u001d5w\ufffd~\ufffd\u0014\ufffd\nx53 \u0017\ufffd\ufffdr\nS\ufffd\ufffd\ufffd\b\u0003\ufffd\ufffd\ufffd%\ufffd\u000b\ufffd\ufffdv\ufffd\ufffdge>\r\ufffdY\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 &\ufffd\ufffd\ufffd'z\ufffdQ\ufffd)\ufffd\u04ad\ufffdKz#0\ufffd\ufffd\ufffdND\ufffd\ufffd\ufffd\u001e\ufffd\ufffd$", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>=~\u0000\ufffd:\u0011\u000b\ufffd\r!\ufffd\ufffd\u0019R\ufffd\u0004\ufffd=V\u001d5w\ufffd~\ufffd\u0014\ufffd\nx53 \u0017\ufffd\ufffdr\nS\ufffd\ufffd\ufffd\b\u0003\ufffd\ufffd\ufffd%\ufffd\u000b\ufffd\ufffdv\ufffd\ufffdge>\r\ufffdY\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>=~\u0000\ufffd:\u0011\u000b\ufffd\r!\ufffd\ufffd\u0019R\ufffd\u0004\ufffd=V\u001d5w\ufffd~\ufffd\u0014\ufffd\nx53 \u0017\ufffd\ufffdr\nS\ufffd\ufffd\ufffd\b\u0003\ufffd\ufffd\ufffd%\ufffd\u000b\ufffd\ufffdv\ufffd\ufffdge>\r\ufffdY\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 &\ufffd\ufffd\ufffd'z\ufffdQ\ufffd)\ufffd\u04ad\ufffdKz#0\ufffd\ufffd\ufffdND\ufffd\ufffd\ufffd\u001e\ufffd\ufffd$", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>=~\u0000\ufffd:\u0011\u000b\ufffd\r!\ufffd\ufffd\u0019R\ufffd\u0004\ufffd=V\u001d5w\ufffd~\ufffd\u0014\ufffd\nx53 \u0017\ufffd\ufffdr\nS\ufffd\ufffd\ufffd\b\u0003\ufffd\ufffd\ufffd%\ufffd\u000b\ufffd\ufffdv\ufffd\ufffdge>\r\ufffdY\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e6fa862bae0a7eb477349db47bfe250c5019ea82", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Injection SQL	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 20 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /database.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /database.yml Pourquoi cette classification : Injection SQL (tag sqli-21) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /database.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; VTR-AL00 Build/HUAWEIVTR-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MMWEBID/6475 M… Règles WAF sqli-21 rce-0 nosqli-3 Payload (extrait) GET /database.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 9; VTR-AL00 Build/HUAWEIVTR-AL00; wv) Requête brute (extrait) GET /database.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 9; VTR-AL00 Build/HUAWEIVTR-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MMWEBID/ Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "8530e1879e96eddd1151a96f3cad2206feb27fb2", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "d9be78204b9f1f993ba727c25934a91ddb9f7e73", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 407, "payload_entropy": 5.583724903926274, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 88, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 88, "classification": 82, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 66, "tag_count": 4, "anomaly_count": 0, "campaign_key": "52cac7f857733e15bae8ea2f7051904fc012833f", "event_fingerprint": "6b6c978568e9b928ac1878bb94a4c13062c3bc7b", "classification_reason": "Injection SQL (tag sqli-21) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 168, "precision_signals": [ "CRS-941100" ], "kb_rule_ids": [ "CRS-941100" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4ef1cd2493b59bfeff49284d89f3b2bd", "payload_hash": "70f78dfec5664c80658930b9926808ae", "path_pattern_hash": "e456118ffd1efe78c2d2e3dd8e291349" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-AL00; wv)", "method": "GET", "path": "\/database.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/6475 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetTy\u2026", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/database.yml HTTP\/1.1", "request_sample": "GET \/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/", "payload_snippet": "GET \/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-AL00; wv)", "evidence": { "method": "GET", "path": "\/database.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/6475 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetTy\u2026", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/database.yml HTTP\/1.1", "request_sample": "GET \/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/", "payload_snippet": "GET \/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-AL00; wv)", "classification_reason": "Injection SQL (tag sqli-21) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fff8bbfc0cc4b2d2193f49c2adc5a3e3da329091", "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /database.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /database.yaml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /database.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /database.yaml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /database.yaml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "30a3ab253f0e3ec390f93ddf667bfac31580a242", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "8f59d64dfe8714dd547b4f8e0c456236f926309b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.412144462800871, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d7edc5850a38d3594957ded838e838a642524353", "event_fingerprint": "b921b96165e516cede24958599c6bd8e0e236604", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a57f3fe8a3e40b9f0638e0a5268cd366", "payload_hash": "4baf219b6b42c7d72490da8862bf89ba", "path_pattern_hash": "67978f470de052926073ab795a08f418" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/database.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/database.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.yaml HTTP\/1.1", "request_sample": "GET \/database.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/database.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/database.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.yaml HTTP\/1.1", "request_sample": "GET \/database.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/database.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0d7bf974d729143ee47e1858d76a67d3d9ec6aa7", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��`E�Y6bZ��\|�#�!�L]kV��+��M��$ K.9��w��I�(5�!e��-j[&bK��ѡ&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��`E�Y6bZ��\|�#�!�L]kV��+��M��$ K.9��w��I�(5�!e��-j[&bK��ѡ&�+�/�,�0̨̩� �� /5� w �+3&$ @��Oc�_d<Rm��<3@��-�ׄ� m Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.85830478745638, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "a5992757f790158b04907abf9578f6f7", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003`E\ufffdY6bZ\ufffd\u0005\ufffd\|\ufffd#\ufffd!\ufffdL]kV\ufffd\ufffd+\ufffd\ufffd\ufffd\u0000\ufffdM\ufffd\ufffd$ K.9\ufffd\ufffdw\ufffd\ufffdI\ufffd(5\ufffd!e\ufffd\ufffd-j[&bK\ufffd\ufffd\ufffd\ufffd\u0461\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003`E\ufffdY6bZ\ufffd\u0005\ufffd\|\ufffd#\ufffd!\ufffdL]kV\ufffd\ufffd+\ufffd\ufffd\ufffd\u0000\ufffdM\ufffd\ufffd$ K.9\ufffd\ufffdw\ufffd\ufffdI\ufffd(5\ufffd!e\ufffd\ufffd-j[&bK\ufffd\ufffd\ufffd\ufffd\u0461\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 @\ufffd\ufffdOc\ufffd_d<Rm\ufffd\ufffd\ufffd<3@\ufffd\u000f\ufffd\ufffd\ufffd-\ufffd\u05c4\u0000\ufffd\u0002\u0019\nm", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003`E\ufffdY6bZ\ufffd\u0005\ufffd\|\ufffd#\ufffd!\ufffdL]kV\ufffd\ufffd+\ufffd\ufffd\ufffd\u0000\ufffdM\ufffd\ufffd$ K.9\ufffd\ufffdw\ufffd\ufffdI\ufffd(5\ufffd!e\ufffd\ufffd-j[&bK\ufffd\ufffd\ufffd\ufffd\u0461\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003`E\ufffdY6bZ\ufffd\u0005\ufffd\|\ufffd#\ufffd!\ufffdL]kV\ufffd\ufffd+\ufffd\ufffd\ufffd\u0000\ufffdM\ufffd\ufffd$ K.9\ufffd\ufffdw\ufffd\ufffdI\ufffd(5\ufffd!e\ufffd\ufffd-j[&bK\ufffd\ufffd\ufffd\ufffd\u0461\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 @\ufffd\ufffdOc\ufffd_d<Rm\ufffd\ufffd\ufffd<3@\ufffd\u000f\ufffd\ufffd\ufffd-\ufffd\u05c4\u0000\ufffd\u0002\u0019\nm", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003`E\ufffdY6bZ\ufffd\u0005\ufffd\|\ufffd#\ufffd!\ufffdL]kV\ufffd\ufffd+\ufffd\ufffd\ufffd\u0000\ufffdM\ufffd\ufffd$ K.9\ufffd\ufffdw\ufffd\ufffdI\ufffd(5\ufffd!e\ufffd\ufffd-j[&bK\ufffd\ufffd\ufffd\ufffd\u0461\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "583c4d6d509bb05f9a9dde849201d3f3d8e9c643", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��tӋ�a0�%�.��,��\|��> H�{RM\|��^�Kj2Lu��N��oe�]�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��tӋ�a0�%�.��,��\|��> H�{RM\|��^�Kj2Lu��N��oe�]�&�+�/�,�0̨̩� �� /5� w �+3&$ [Q�ٗ��h�Oc�$Ǒ�� L $ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.7681560948736355, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "f89830b6f25e20d5dc4fd49764aa1e9f", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\u04cb\ufffda\u00180\u0019\uf5a1\ufffd%\u001a\ufffd.\ufffd\ufffd,\ufffd\ufffd\|\ufffd\ufffd\ufffd\u001a\ufffd\u000e\ufffd> H\ufffd{R\u0001M\|\ufffd\ufffd^\ufffd\u0018Kj\u00002Lu\ufffd\u0017\ufffdN\ufffd\ufffdoe\ufffd]\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\u04cb\ufffda\u00180\u0019\uf5a1\ufffd%\u001a\ufffd.\ufffd\ufffd,\ufffd\ufffd\|\ufffd\ufffd\ufffd\u001a\ufffd\u000e\ufffd> H\ufffd{R\u0001M\|\ufffd\ufffd^\ufffd\u0018Kj\u00002Lu\ufffd\u0017\ufffdN\ufffd\ufffdoe\ufffd]\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 [Q\ufffd\u0657\ufffd\u0013\u001d\u0007\u0005\u0006\ufffd\ufffdh\ufffdOc\u0011\ufffd$\u01d1\ufffd\u0016\ufffd\ufffd\f\ufffd\ufffdL $", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\u04cb\ufffda\u00180\u0019\uf5a1\ufffd%\u001a\ufffd.\ufffd\ufffd,\ufffd\ufffd\|\ufffd\ufffd\ufffd\u001a\ufffd\u000e\ufffd> H\ufffd{R\u0001M\|\ufffd\ufffd^\ufffd\u0018Kj\u00002Lu\ufffd\u0017\ufffdN\ufffd\ufffdoe\ufffd]\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\u04cb\ufffda\u00180\u0019\uf5a1\ufffd%\u001a\ufffd.\ufffd\ufffd,\ufffd\ufffd\|\ufffd\ufffd\ufffd\u001a\ufffd\u000e\ufffd> H\ufffd{R\u0001M\|\ufffd\ufffd^\ufffd\u0018Kj\u00002Lu\ufffd\u0017\ufffdN\ufffd\ufffdoe\ufffd]\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 [Q\ufffd\u0657\ufffd\u0013\u001d\u0007\u0005\u0006\ufffd\ufffdh\ufffdOc\u0011\ufffd$\u01d1\ufffd\u0016\ufffd\ufffd\f\ufffd\ufffdL $", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\u04cb\ufffda\u00180\u0019\uf5a1\ufffd%\u001a\ufffd.\ufffd\ufffd,\ufffd\ufffd\|\ufffd\ufffd\ufffd\u001a\ufffd\u000e\ufffd> H\ufffd{R\u0001M\|\ufffd\ufffd^\ufffd\u0018Kj\u00002Lu\ufffd\u0017\ufffdN\ufffd\ufffdoe\ufffd]\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7335212edce444149e8e3b6b63fde43d7e422be7", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /database.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /database.php Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /database.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.6 (Change: ) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /database.php HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/527 Requête brute (extrait) GET /database.php HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.6 (Change: ) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "42aff5147cf7c08a0557db4155e4cb2be8b6bd1a", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "1cac4715ed965215df929e78afc22914932809e0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.376537125386377, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "899eee33290db54b7be0e362049a6d9e9fea0c66", "event_fingerprint": "9f73ada4c07093c703348feaaac73e1cc2d54603", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63e64dde5b9c5fc25e241813b9c3ce69", "payload_hash": "49675cbd80df242dadfb24b2274f7f96", "path_pattern_hash": "90f376acfeae8feaa84cc75eee54384f" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/database.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/527 ", "method": "GET", "path": "\/database.php", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/527 (KHTML, like Gecko, Safari\/419.3) Arora\/0.6 (Change: )", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.php HTTP\/1.1", "request_sample": "GET \/database.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/527 (KHTML, like Gecko, Safari\/419.3) Arora\/0.6 (Change: )\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/database.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/527", "evidence": { "method": "GET", "path": "\/database.php", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/527 (KHTML, like Gecko, Safari\/419.3) Arora\/0.6 (Change: )", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.php HTTP\/1.1", "request_sample": "GET \/database.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/527 (KHTML, like Gecko, Safari\/419.3) Arora\/0.6 (Change: )\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/database.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/527", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "787190ae56166bea6ea611fc41358bcd92ed6a5a", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��n� �on9s �_��?�`�?(��dd�5�1� �F��Um��g��G�M!�/x�5��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��n� �on9s �_��?�`�?(��dd�5�1� �F��Um��g��G�M!�/x�5��&�+�/�,�0̨̩� �� /5� w �+3&$ ��1�=�jKJ��C�"�v�q��̂&�� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.835508250494218, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "4ec35e2cce2a64d2aaf7c8a335b65638", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003n\ufffd\t\u000e\ufffdon9s \ufffd_\ufffd\ufffd\u0007?\ufffd`\ufffd?(\ufffd\ufffddd\ufffd5\ufffd1\ufffd \ufffdF\ufffd\ufffd\ufffd\ufffdUm\ufffd\ufffd\u0016\ufffd\ufffd\u000eg\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffdM!\ufffd\/x\ufffd5\u0001\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003n\ufffd\t\u000e\ufffdon9s \ufffd_\ufffd\ufffd\u0007?\ufffd`\ufffd?(\ufffd\ufffddd\ufffd5\ufffd1\ufffd \ufffdF\ufffd\ufffd\ufffd\ufffdUm\ufffd\ufffd\u0016\ufffd\ufffd\u000eg\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffdM!\ufffd\/x\ufffd5\u0001\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd1\ufffd=\ufffdjK\u0019J\ufffd\ufffdC\ufffd\u0005\"\ufffdv\ufffdq\ufffd\ufffd\ufffd\ufffd\u001f\u0011\u0302&\ufffd\ufffd\u0002", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003n\ufffd\t\u000e\ufffdon9s \ufffd_\ufffd\ufffd\u0007?\ufffd`\ufffd?(\ufffd\ufffddd\ufffd5\ufffd1\ufffd \ufffdF\ufffd\ufffd\ufffd\ufffdUm\ufffd\ufffd\u0016\ufffd\ufffd\u000eg\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffdM!\ufffd\/x\ufffd5\u0001\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003n\ufffd\t\u000e\ufffdon9s \ufffd_\ufffd\ufffd\u0007?\ufffd`\ufffd?(\ufffd\ufffddd\ufffd5\ufffd1\ufffd \ufffdF\ufffd\ufffd\ufffd\ufffdUm\ufffd\ufffd\u0016\ufffd\ufffd\u000eg\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffdM!\ufffd\/x\ufffd5\u0001\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd1\ufffd=\ufffdjK\u0019J\ufffd\ufffdC\ufffd\u0005\"\ufffdv\ufffdq\ufffd\ufffd\ufffd\ufffd\u001f\u0011\u0302&\ufffd\ufffd\u0002", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003n\ufffd\t\u000e\ufffdon9s \ufffd_\ufffd\ufffd\u0007?\ufffd`\ufffd?(\ufffd\ufffddd\ufffd5*\ufffd1\ufffd \ufffdF\ufffd\ufffd\ufffd\ufffdUm\ufffd\ufffd\u0016\ufffd\ufffd\u000eg\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffdM!\ufffd\/x\ufffd5\u0001\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b2e623a4b051d7ade25ab3fb2d70724a94d1b8bc", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��D" ��u��QL��R�x�H�� c�Eż�z�ݚ�<HqK��Vݪ��#��k&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��D" ��u��QL��R�x�H�� c�Eż�z�ݚ�<HqK��Vݪ��#��k&�+�/�,�0̨̩� �� /5� w �+3&$ +��]��}E��"J�Az�{�4�#�� ^ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.897543114470929, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "374ca0da4bc2d8cd9fbf0e73be69c914", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdD\"\t\ufffd\ufffd\ufffdu\ufffd\ufffdQ\bL\ufffd\u000f\ufffd\ufffdR\u0002\ufffd\u008dx\ufffdH\ufffd\ufffd \ufffdc\ufffdE\u017c\u0003\u0006\ufffdz\ufffd\u075a\ufffd<HqK\ufffd\ufffd\ufffd\u0014V\u076a\ufffd\ufffd#\ufffd\ufffd\ufffdk\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdD\"\t\ufffd\ufffd\ufffdu\ufffd\ufffdQ\bL\ufffd\u000f\ufffd\ufffdR\u0002\ufffd\u008dx\ufffdH\ufffd\ufffd \ufffdc\ufffdE\u017c\u0003\u0006\ufffdz\ufffd\u075a\ufffd<HqK\ufffd\ufffd\ufffd\u0014V\u076a\ufffd\ufffd#\ufffd\ufffd\ufffdk\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 +\ufffd\ufffd\ufffd\ufffd]\ufffd\ufffd}E\ufffd\ufffd\"J\ufffdAz\ufffd\u001f{\ufffd4\ufffd#\ufffd\ufffd\ufffd\u0015\f\ufffd^\u0010", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdD\"\t\ufffd\ufffd\ufffdu\ufffd\ufffdQ\bL\ufffd\u000f\ufffd\ufffdR\u0002\ufffd\u008dx\ufffdH\ufffd\ufffd \ufffdc\ufffdE\u017c\u0003\u0006\ufffdz\ufffd\u075a\ufffd<HqK\ufffd\ufffd\ufffd\u0014V\u076a\ufffd\ufffd#\ufffd\ufffd\ufffdk\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdD\"\t\ufffd\ufffd\ufffdu\ufffd\ufffdQ\bL\ufffd\u000f\ufffd\ufffdR\u0002\ufffd\u008dx\ufffdH\ufffd\ufffd \ufffdc\ufffdE\u017c\u0003\u0006\ufffdz\ufffd\u075a\ufffd<HqK\ufffd\ufffd\ufffd\u0014V\u076a\ufffd\ufffd#\ufffd\ufffd\ufffdk\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 +\ufffd\ufffd\ufffd\ufffd]\ufffd\ufffd}E\ufffd\ufffd\"J\ufffdAz\ufffd\u001f{\ufffd4\ufffd#\ufffd\ufffd\ufffd\u0015\f\ufffd^\u0010", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdD\"\t\ufffd\ufffd\ufffdu\ufffd\ufffdQ\bL\ufffd\u000f\ufffd\ufffdR\u0002\ufffd\u008dx\ufffdH\ufffd\ufffd \ufffdc\ufffdE\u017c\u0003\u0006\ufffdz\ufffd\u075a\ufffd<HqK\ufffd\ufffd\ufffd\u0014V\u076a\ufffd\ufffd#\ufffd\ufffd\ufffdk\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9bf9585dbbbccd01f5f7190c5bdc152e14988e71", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_k8s_probe net_flood Cible HTTP GET /secrets.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /secrets.yml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /secrets.yml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /secrets.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 Requête brute (extrait) GET /secrets.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "0758e663261fb69a432c26eec7bdcc57fac246d5", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "e7274406f40c7a10480f2d85d43c70d3b9b7d566", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.374279243774307, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d7102166650cb2d1612fd14a6d7cfb67c7c492cc", "event_fingerprint": "18fc1082394f88734de9013d89dc1b585cd9002c", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9873cd9aceaba0ef05e7a7db5db9a6d3", "payload_hash": "97dc0cd4146ff4456dd36d8ab8e85edc", "path_pattern_hash": "246a47626a113b12058b21154a5a0dd6" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/secrets.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36", "method": "GET", "path": "\/secrets.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.yml HTTP\/1.1", "request_sample": "GET \/secrets.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/secrets.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/secrets.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.yml HTTP\/1.1", "request_sample": "GET \/secrets.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/secrets.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "299883e7b8ae1977421ca8e5d939154c46803bb0", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_k8s_probe", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 71
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/settings.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/settings.yml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/settings.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3879.0 Safari/537.36 Edg/78.0.249.1 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/settings.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /api/settings.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3879.0 Safari/537.36 Edg/78.0.249.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "64439aed95b30a235434c6331ba7d89444e2a3d8", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "ca1a81175cd9e58e9e1d76706220c73a85edea6c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.424843784023434, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b6385f0d3ef331fcb574f3f8ea2b2239cb412176", "event_fingerprint": "e15a833030d68cf40fc0ac7c415ada756c7cf778", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f82d23c79f0b743b31f70ff1a1f19e27", "payload_hash": "23855c5196278ac7302959e07d47e575", "path_pattern_hash": "bf4cbe1c6a04f0ce19969bc5a096ab48" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 ", "method": "GET", "path": "\/api\/settings.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36 Edg\/78.0.249.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/settings.yml HTTP\/1.1", "request_sample": "GET \/api\/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36 Edg\/78.0.249.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/api\/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/api\/settings.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36 Edg\/78.0.249.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/settings.yml HTTP\/1.1", "request_sample": "GET \/api\/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36 Edg\/78.0.249.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/api\/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5d6806f94589f62f599587358806922698987aa4", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 54
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 12 Recommandation Investiguer Tags 950406:ssrf-3 950470:nosqli-3 net_flood Cible HTTP GET /database.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /database.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /database.json HTTP/1.1` User-Agent TurnitinBot (https://turnitin.com/robot/crawlerinfo.html) Règles WAF ssrf-3 nosqli-3 Payload (extrait) GET /database.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: TurnitinBot (https://turnitin.com/robot/crawlerinfo.html) Accep Requête brute (extrait) GET /database.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: TurnitinBot (https://turnitin.com/robot/crawlerinfo.html) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "0abda20fb0c7a964ef9c63b2287640e1b7b03691", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "f689104314a10f54bd93f91634b8afdc76c6b282", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 190, "payload_entropy": 5.070199252775021, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 56, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6cbebbef4c6f069a2fb60e7e23e0bfadb008905a", "event_fingerprint": "2aaf2d7a2f1a9dcdded52bf8d0f9d06a8a458cf3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2ae2893ad48563e5bfca62563940cc75", "payload_hash": "fb1dafb2e8a8c885289fd2d3692694c9", "path_pattern_hash": "f1f37e8fcf8a0b13708dc4a3ea488f0e" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/database.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\r\nAccep", "method": "GET", "path": "\/database.json", "user_agent": "TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/database.json HTTP\/1.1", "request_sample": "GET \/database.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/database.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\r\nAccep", "evidence": { "method": "GET", "path": "\/database.json", "user_agent": "TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/database.json HTTP\/1.1", "request_sample": "GET \/database.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/database.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\r\nAccep", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d6e05a68dbb9f81041fe0ba1f93a1e9a9db980b7", "ban_policy": "advisory_investigate", "tags_list": [ "950406:ssrf-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��@2�u��ܜ :�'�]r�Ȅ��y ��( �fA昬�� S��z��D6Q&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��@2�u��ܜ :�'�]r�Ȅ��y ��( �fA昬�� S��z��D6Q&�+�/�,�0̨̩� �� /5� w �+3&$ e�TE$g��r��)��PIB�ae�r��\|�G Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.836998159188774, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "7a52f2f53d0af269360133ca215e31c0", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@2\ufffdu\u0019\ufffd\ufffd\ufffd\u000e\u071c :\ufffd'\ufffd]r\ufffd\u0204\ufffd\u0013\u0019\ufffd\ufffd\u001c\u000e\ufffdy \ufffd\u001d\ufffd(\t\ufffdfA\u662c\u0003\ufffd\ufffd\t\ufffd\ufffd\ufffdS\ufffd\ufffdz\ufffd\ufffd\ufffd\ufffd\u0014\ufffdD6Q\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@2\ufffdu\u0019\ufffd\ufffd\ufffd\u000e\u071c :\ufffd'\ufffd]r\ufffd\u0204\ufffd\u0013\u0019\ufffd\ufffd\u001c\u000e\ufffdy \ufffd\u001d\ufffd(\t\ufffdfA\u662c\u0003\ufffd\ufffd\t\ufffd\ufffd\ufffdS\ufffd\ufffdz\ufffd\ufffd\ufffd\ufffd\u0014\ufffdD6Q\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 e\ufffdTE\u000e$g\ufffd\ufffd\ufffdr\ufffd\ufffd)\ufffd\ufffdPIB\ufffdae\u001e\ufffdr\ufffd\u0003\ufffd\|\u001a\ufffdG", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@2\ufffdu\u0019\ufffd\ufffd\ufffd\u000e\u071c :\ufffd'\ufffd]r\ufffd\u0204\ufffd\u0013\u0019\ufffd\ufffd\u001c\u000e\ufffdy \ufffd\u001d\ufffd(\t\ufffdfA\u662c\u0003\ufffd\ufffd\t\ufffd\ufffd\ufffdS\ufffd\ufffdz\ufffd\ufffd\ufffd\ufffd\u0014\ufffdD6Q\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@2\ufffdu\u0019\ufffd\ufffd\ufffd\u000e\u071c :\ufffd'\ufffd]r\ufffd\u0204\ufffd\u0013\u0019\ufffd\ufffd\u001c\u000e\ufffdy \ufffd\u001d\ufffd(\t\ufffdfA\u662c\u0003\ufffd\ufffd\t\ufffd\ufffd\ufffdS\ufffd\ufffdz\ufffd\ufffd\ufffd\ufffd\u0014\ufffdD6Q\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 e\ufffdTE\u000e$g\ufffd\ufffd\ufffdr\ufffd\ufffd)\ufffd\ufffdPIB\ufffdae\u001e\ufffdr\ufffd\u0003\ufffd\|\u001a\ufffdG", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@2\ufffdu\u0019\ufffd\ufffd\ufffd\u000e\u071c :\ufffd'\ufffd]r\ufffd\u0204\ufffd\u0013\u0019\ufffd\ufffd\u001c\u000e\ufffdy \ufffd\u001d\ufffd(\t\ufffdfA\u662c\u0003\ufffd\ufffd\t\ufffd\ufffd\ufffdS\ufffd\ufffdz\ufffd\ufffd\ufffd\ufffd\u0014\ufffdD6Q\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7927d3ff963a74415856d1266f6678eef8e4f4e6", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��B��Qt��aӮ�X��2��֟b��J&cF ��`�K��K!`�C ��ψjD 3��=!�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��B�� Qt��aӮ�X��2��֟b��J&cF ��`�K��K!`�C ��ψjD 3��=!�&�+�/�,�0̨̩� �� /5� w �+3&$ ��@�C�DZ�XQ>@�>(�ں�߰\|� =f. Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.807602148084834, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "6982621146ba0a2275e535c4f5170e1a", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019B\ufffd\ufffd\ufffd\u000bQt\ufffd\ufffda\u04ee\ufffdX\ufffd\ufffd\u0000\ufffd2\ufffd\ufffd\u059fb\ufffd\ufffdJ&cF \ufffd\ufffd\ufffd\ufffd`\ufffdK\u0006\ufffd\ufffd\ufffdK!`\ufffdC \ufffd\u0017\ufffd\u03c8jD 3\ufffd\ufffd=!\u0007\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019B\ufffd\ufffd\ufffd\u000bQt\ufffd\ufffda\u04ee\ufffdX\ufffd\ufffd\u0000\ufffd2\ufffd\ufffd\u059fb\ufffd\ufffdJ&cF \ufffd\ufffd\ufffd\ufffd`\ufffdK\u0006\ufffd\ufffd\ufffdK!`\ufffdC \ufffd\u0017\ufffd\u03c8jD 3\ufffd\ufffd=!\u0007\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd@\ufffdC\ufffdDZ\u001b\ufffd\u0019X\u000fQ>@\ufffd>(\ufffd\u06ba\ufffd\u001a\u07f0\|\ufffd\f=f.", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019B\ufffd\ufffd\ufffd\u000bQt\ufffd\ufffda\u04ee\ufffdX\ufffd\ufffd\u0000\ufffd2\ufffd\ufffd\u059fb\ufffd\ufffdJ&cF \ufffd\ufffd\ufffd\ufffd`\ufffdK\u0006\ufffd\ufffd\ufffdK!`\ufffdC \ufffd\u0017\ufffd\u03c8jD 3\ufffd\ufffd=!\u0007\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019B\ufffd\ufffd\ufffd\u000bQt\ufffd\ufffda\u04ee\ufffdX\ufffd\ufffd\u0000\ufffd2\ufffd\ufffd\u059fb\ufffd\ufffdJ&cF \ufffd\ufffd\ufffd\ufffd`\ufffdK\u0006\ufffd\ufffd\ufffdK!`\ufffdC \ufffd\u0017\ufffd\u03c8jD 3\ufffd\ufffd=!\u0007\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd@\ufffdC\ufffdDZ\u001b\ufffd\u0019X\u000fQ>@\ufffd>(\ufffd\u06ba\ufffd\u001a\u07f0\|\ufffd\f=f.", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019B\ufffd\ufffd\ufffd\u000bQt\ufffd\ufffda\u04ee\ufffdX\ufffd\ufffd\u0000\ufffd2\ufffd\ufffd\u059fb\ufffd\ufffdJ&cF \ufffd\ufffd\ufffd\ufffd`\ufffdK\u0006\ufffd\ufffd\ufffdK!`\ufffdC \ufffd\u0017\ufffd\u03c8jD 3\ufffd\ufffd=!\u0007\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3b98f2ba379810e028897abc4af75b766d091eff", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /database.ini TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /database.ini Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /database.ini HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 YaBrowser/19.3.1.828 Yowser/2.5 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /database.ini HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, l Requête brute (extrait) GET /database.ini HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 YaBrowser/19.3.1.828 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ini", "http_ua_hash": "d4fd643349e1d6526e7d0cab0c15dbb179c43a94", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "36b3c3e86399afe1df6968693cd7ee192b1a9b3f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.422142836067166, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "899eee33290db54b7be0e362049a6d9e9fea0c66", "event_fingerprint": "d3ffa638660cf11ecda4f602c39691b27a00ca7b", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ad79bbcc69575186f2ed0fd22d8f9f71", "payload_hash": "253502c13074e7f9cab4ea319e15f95d", "path_pattern_hash": "a38d47f6033f9b29e88d7f4d46dd5e9d" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/database.ini HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, l", "method": "GET", "path": "\/database.ini", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.ini HTTP\/1.1", "request_sample": "GET \/database.ini HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/database.ini HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, l", "evidence": { "method": "GET", "path": "\/database.ini", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.ini HTTP\/1.1", "request_sample": "GET \/database.ini HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/database.ini HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, l", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ed62869a4aac1a3987f6d34acb63b8e0a8d48868", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_k8s_probe net_flood Cible HTTP GET /secrets.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /secrets.env Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /secrets.env HTTP/1.1` User-Agent Mozilla/5.0 (Unknown; UNIX BSD/SYSV system) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.7.0 Safari/538.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /secrets.env HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Unknown; UNIX BSD/SYSV system) AppleWebKit/538.1 (KHT Requête brute (extrait) GET /secrets.env HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Unknown; UNIX BSD/SYSV system) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.7.0 Safari/538.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "env", "http_ua_hash": "95be3647521211330ef9c5ce3584911c7c9da7b5", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "22d014944096d18c7b20cd03c2d4364413794fe1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.4739066314852085, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d7102166650cb2d1612fd14a6d7cfb67c7c492cc", "event_fingerprint": "51716e2932d6d890f09c76f3057405d09d2e1742", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1fa21196fddfcb27306271cb804cc886", "payload_hash": "43132cb04da12a692f7358a84bc2fc67", "path_pattern_hash": "0883c67cadc74a16a43d777352b0b9da" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/secrets.env HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (KHT", "method": "GET", "path": "\/secrets.env", "user_agent": "Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.7.0 Safari\/538.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.env HTTP\/1.1", "request_sample": "GET \/secrets.env HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.7.0 Safari\/538.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/secrets.env HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (KHT", "evidence": { "method": "GET", "path": "\/secrets.env", "user_agent": "Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.7.0 Safari\/538.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.env HTTP\/1.1", "request_sample": "GET \/secrets.env HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.7.0 Safari\/538.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/secrets.env HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (KHT", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c07d4121c443a47ea4df6bd4714135e2cf2997ce", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_k8s_probe", "net_flood" ], "asn_dc_heuristic": true }

8.230.0.135

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence