Détails IP 8.230.0.135

Synthèse exécutive

Profil de menace

Score de risque 78/100 Élevé

Première observation 04/06/2026 20:28 UTC

Dernière observation 04/06/2026 20:29 UTC

Événements (période) 766

MITRE ATT&CK principal —

risque 56/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Comparaison ASN / FAI

ASN 396982 · 8.230.0.0/19 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 766 événements sur la période pour cette IP.

34.79.87.63 Sonde port 18065/TCP 21/06/2026 06:59 UTC
34.62.196.247 Sonde port 21242/TCP 21/06/2026 06:58 UTC
34.52.186.237 Sonde port 12120/TCP 21/06/2026 06:58 UTC
35.203.210.22 Scanner web 21/06/2026 06:58 UTC
34.156.237.98 Sonde port 10047/TCP 21/06/2026 06:57 UTC
35.241.166.201 Sonde port 3550/TCP 21/06/2026 06:57 UTC
162.216.150.153 Sonde PostgreSQL 21/06/2026 06:54 UTC
35.203.210.143 Sonde port 21/06/2026 06:54 UTC

Événements (filtres)

766

Première observation

04/06/2026 20:28 UTC

Dernière observation

04/06/2026 20:29 UTC

Dernière activité (filtres)

04/06/2026 20:29 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

—

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 383 TLS TCP 383

HTTP

383

TLS

383

Géolocalisation

Origine réseau déclarée

Corée du Sud unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 3000 credential_file_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Aperçu payload

GET /private.key HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML

Port / service

3000

Recommandation

Investiguer

Confiance

100%

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

766 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

766 événement(s) — page 5/16

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��[��Ϙ=]�߱��?�� DD��i��y� ��g��-�[�a��{�\+t��<��f�\|+�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��[��Ϙ=]�߱��?�� DD��i��y� ��g��-�[�a��{�\+t��<��f�\|+�&�+�/�,�0̨̩� �� /5� w �+3&$ !qw��9��QT�96.G�R�]�� 2G Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.86138772537468, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "af4b93bf83794749c2e7d59a042cafc5", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd[\ufffd\ufffd\ufffd\u03d8=]\ufffd\u07f1\ufffd\ufffd?\ufffd\ufffd\tDD\ufffd\ufffd\ufffd\ufffd\u0016i\ufffd\ufffd\ufffdy\ufffd \ufffd\u0000\ufffd\u000e\ufffdg\ufffd\u001d\ufffd-\ufffd[\ufffda\ufffd\ufffd{\ufffd\\+t\ufffd\ufffd<\ufffd\ufffd\ufffdf\ufffd\|+\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd[\ufffd\ufffd\ufffd\u03d8=]\ufffd\u07f1\ufffd\ufffd?\ufffd\ufffd\tDD\ufffd\ufffd\ufffd\ufffd\u0016i\ufffd\ufffd\ufffdy\ufffd \ufffd\u0000\ufffd\u000e\ufffdg\ufffd\u001d\ufffd-\ufffd[\ufffda\ufffd\ufffd{\ufffd\\+t\ufffd\ufffd<\ufffd\ufffd\ufffdf\ufffd\|+\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 !qw\u0014\ufffd\ufffd\ufffd9\ufffd\ufffdQT\ufffd96.G\ufffdR\u001e\u000e\ufffd]\ufffd\ufffd\ufffd \ufffd2G", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd[\ufffd\ufffd\ufffd\u03d8=]\ufffd\u07f1\ufffd\ufffd?\ufffd\ufffd\tDD\ufffd\ufffd\ufffd\ufffd\u0016i\ufffd\ufffd\ufffdy\ufffd \ufffd\u0000\ufffd\u000e\ufffdg\ufffd\u001d\ufffd-\ufffd[\ufffda\ufffd\ufffd{\ufffd\\+t\ufffd\ufffd<\ufffd\ufffd\ufffdf\ufffd\|+\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd[\ufffd\ufffd\ufffd\u03d8=]\ufffd\u07f1\ufffd\ufffd?\ufffd\ufffd\tDD\ufffd\ufffd\ufffd\ufffd\u0016i\ufffd\ufffd\ufffdy\ufffd \ufffd\u0000\ufffd\u000e\ufffdg\ufffd\u001d\ufffd-\ufffd[\ufffda\ufffd\ufffd{\ufffd\\+t\ufffd\ufffd<\ufffd\ufffd\ufffdf\ufffd\|+\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 !qw\u0014\ufffd\ufffd\ufffd9\ufffd\ufffdQT\ufffd96.G\ufffdR\u001e\u000e*\ufffd]\ufffd\ufffd\ufffd \ufffd2G", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd[\ufffd\ufffd\ufffd\u03d8=]\ufffd\u07f1\ufffd\ufffd?\ufffd\ufffd\tDD\ufffd\ufffd\ufffd\ufffd\u0016i\ufffd\ufffd\ufffdy\ufffd \ufffd\u0000\ufffd\u000e\ufffdg\ufffd\u001d\ufffd-\ufffd[\ufffda\ufffd\ufffd{\ufffd\\+t\ufffd\ufffd<\ufffd\ufffd\ufffdf\ufffd\|+\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2b625a8a785155fc0cc508c83fedbd2df760cc0e", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��2ʊ~�No�6��pH4@�P6��C ZM;K_ñPD�dN�Ǉaqe��Îr�Q&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��2ʊ~�No�6��pH4@�P6��C ZM ;K_ñPD�dN�Ǉaqe��Îr�Q&�+�/�,�0̨̩� �� /5� w �+3&$ t��F�W�� :AD��y�L�ZL�A �D3 Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.923948052427365, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "c17ac5c90c46013e1520fc90968cdc37", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\u028a~\ufffdN\u001f\u0019o\ufffd6\ufffd\ufffd\ufffd\ufffdpH4@\ufffdP6\u000f\u0018\ufffd\ufffd\u001a\ufffd\ufffd\u001cC \u0010ZM\f;K_\u00f1PD\ufffddN\ufffd\u01c7aqe\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\u00cer\u001e\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\u028a~\ufffdN\u001f\u0019o\ufffd6\ufffd\ufffd\ufffd\ufffdpH4@\ufffdP6\u000f\u0018\ufffd\ufffd\u001a\ufffd\ufffd\u001cC \u0010ZM\f;K_\u00f1PD\ufffddN\ufffd\u01c7aqe\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\u00cer\u001e\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 t\ufffd\ufffdF\ufffdW\ufffd\ufffd\ufffd\r\ufffd:\u0014AD\b\ufffd\ufffd\ufffdy\ufffdL\ufffdZL\ufffdA \ufffdD3", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\u028a~\ufffdN\u001f\u0019o\ufffd6\ufffd\ufffd\ufffd\ufffdpH4@\ufffdP6\u000f\u0018\ufffd\ufffd\u001a\ufffd\ufffd\u001cC \u0010ZM\f;K_\u00f1PD\ufffddN\ufffd\u01c7aqe\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\u00cer\u001e\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\u028a~\ufffdN\u001f\u0019o\ufffd6\ufffd\ufffd\ufffd\ufffdpH4@\ufffdP6\u000f\u0018\ufffd\ufffd\u001a\ufffd\ufffd\u001cC \u0010ZM\f;K_\u00f1PD\ufffddN\ufffd\u01c7aqe\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\u00cer\u001e\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 t\ufffd\ufffdF\ufffdW\ufffd\ufffd\ufffd\r\ufffd:\u0014AD\b\ufffd\ufffd\ufffdy\ufffdL\ufffdZL\ufffdA \ufffdD3", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\u028a~\ufffdN\u001f\u0019o\ufffd6\ufffd\ufffd\ufffd\ufffdpH4@\ufffdP6\u000f\u0018\ufffd\ufffd\u001a\ufffd\ufffd\u001cC \u0010ZM\f;K_\u00f1PD\ufffddN\ufffd\u01c7aqe\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\u00cer\u001e\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f0153a64b78caa36760a064c7bf71e270452b2ee", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��c��B�OR5��4 0�[Z�ƾ ?�Ν�t��_x��6��~��۷&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��c��B�OR5��4 0�[Z�ƾ ?�Ν�t��_x��6��~��۷&�+�/�,�0̨̩� �� /5� w �+3&$ K>��@��4R/uvK�Q��U��mf� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.807040440295763, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "394111be2f4747835586593e6582855b", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001c\ufffd\u0003\ufffdB\ufffd\u0007OR5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd4\t0\ufffd[Z\ufffd\u01be ?\ufffd\u039d\ufffdt\ufffd\ufffd\ufffd\ufffd_x\u000f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffd\ufffd~\ufffd\ufffd\u001d\u001e\u06f7\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001c\ufffd\u0003\ufffdB\ufffd\u0007OR5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd4\t0\ufffd[Z\ufffd\u01be ?\ufffd\u039d\ufffdt\ufffd\ufffd\ufffd\ufffd_x\u000f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffd\ufffd~\ufffd\ufffd\u001d\u001e\u06f7\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 K>\u0019\u001b\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\u001c4R\/uvK\ufffdQ\ufffd\ufffd\u0011U\ufffd\ufffd\ufffdmf\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001c\ufffd\u0003\ufffdB\ufffd\u0007OR5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd4\t0\ufffd[Z\ufffd\u01be ?\ufffd\u039d\ufffdt\ufffd\ufffd\ufffd\ufffd_x\u000f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffd\ufffd~\ufffd\ufffd\u001d\u001e\u06f7\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001c\ufffd\u0003\ufffdB\ufffd\u0007OR5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd4\t0\ufffd[Z\ufffd\u01be ?\ufffd\u039d\ufffdt\ufffd\ufffd\ufffd\ufffd_x\u000f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffd\ufffd~\ufffd\ufffd\u001d\u001e\u06f7\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 K>\u0019\u001b\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\u001c4R\/uvK\ufffdQ\ufffd\ufffd\u0011U\ufffd\ufffd\ufffdmf\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001c\ufffd\u0003\ufffdB\ufffd\u0007OR5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd4\t0\ufffd[Z\ufffd\u01be ?\ufffd\u039d\ufffdt\ufffd\ufffd\ufffd\ufffd_x\u000f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffd\ufffd~\ufffd\ufffd\u001d\u001e\u06f7\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "81e68313afe99576b519c942336f86cfbae63820", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��ぴ�z�}�&Q�F�̄�a��YeVG��(�u��, c��4�܊E�/:x�?\|m�_!�aN�� [&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��ぴ�z�}�&Q�F�̄�a��YeVG��(�u��, c��4�܊E�/:x�?\|m�_!�aN�� [&�+�/�,�0̨̩� �� /5� w �+3&$ ��~��hQ��F�nm�?��#�S9�Zq Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.893487607232075, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "de3125a5dce2fbbd53050cb998b0ddfb", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u3074\ufffdz\ufffd}\ufffd&Q\ufffdF\ufffd\u0304\ufffda\ufffd\ufffdYeVG\ufffd\ufffd\ufffd(\ufffdu\ufffd\ufffd, c\ufffd\ufffd4\u0005\ufffd\u070aE\ufffd\/:x\ufffd?\|m\u0093\ufffd_!\ufffdaN\ufffd\ufffd\r\ufffd\ufffd[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u3074\ufffdz\ufffd}\ufffd&Q\ufffdF\ufffd\u0304\ufffda\ufffd\ufffdYeVG\ufffd\ufffd\ufffd(\ufffdu\ufffd\ufffd, c\ufffd\ufffd4\u0005\ufffd\u070aE\ufffd\/:x\ufffd?\|m\u0093\ufffd_!\ufffdaN\ufffd\ufffd\r\ufffd\ufffd[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd~\ufffd\u0007\ufffdhQ\ufffd\ufffd\u0006F\ufffdnm\ufffd?\ufffd\ufffd\u0007\ufffd\ufffd#\ufffdS9\ufffdZ\u0005q", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u3074\ufffdz\ufffd}\ufffd&Q\ufffdF\ufffd\u0304\ufffda\ufffd\ufffdYeVG\ufffd\ufffd\ufffd(\ufffdu\ufffd\ufffd, c\ufffd\ufffd4\u0005\ufffd\u070aE\ufffd\/:x\ufffd?\|m\u0093\ufffd_!\ufffdaN\ufffd\ufffd\r\ufffd\ufffd[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u3074\ufffdz\ufffd}\ufffd&Q\ufffdF\ufffd\u0304\ufffda\ufffd\ufffdYeVG\ufffd\ufffd\ufffd(\ufffdu\ufffd\ufffd, c\ufffd\ufffd4\u0005\ufffd\u070aE\ufffd\/:x\ufffd?\|m\u0093\ufffd_!\ufffdaN\ufffd\ufffd\r\ufffd\ufffd[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd~\ufffd\u0007\ufffdhQ\ufffd\ufffd\u0006F\ufffdnm\ufffd?\ufffd\ufffd\u0007\ufffd\ufffd#\ufffdS9\ufffdZ\u0005q", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u3074\ufffdz\ufffd}\ufffd&Q\ufffdF\ufffd\u0304\ufffda\ufffd\ufffdYeVG\ufffd\ufffd\ufffd(\ufffdu\ufffd\ufffd, c\ufffd\ufffd4\u0005\ufffd\u070aE\ufffd\/:x\ufffd?\|m\u0093\ufffd_!\ufffdaN\ufffd\ufffd\r\ufffd\ufffd[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "396c04900a6266c56db166363eb4ac3c822b98e0", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 71
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/application.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/application.yml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/application.yml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/application.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi Requête brute (extrait) GET /api/application.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "8fe78328d262057c27b52a67fb6578e07ef3e588", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "eaa807d97ed075164ad06a16fff4f79030561dd8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.394041750519191, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b6385f0d3ef331fcb574f3f8ea2b2239cb412176", "event_fingerprint": "785fcdcaa2cbb568b7a0f9a1da670eb90e60627e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "aefe0aa60c3e3b58db92218df8eb3730", "payload_hash": "ab22d49dc5b5be83d2ff9516e2a3ff10", "path_pattern_hash": "f35df1fc019a96ac8898ec6340239854" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi", "method": "GET", "path": "\/api\/application.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/application.yml HTTP\/1.1", "request_sample": "GET \/api\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/api\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi", "evidence": { "method": "GET", "path": "\/api\/application.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/application.yml HTTP\/1.1", "request_sample": "GET \/api\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/api\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a675090910eb2346c5e4b40bd0f4f542a30c675a", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��x%˩��gjÏ��9&=u�%Ű>w�&��8� ��D�L� �ap�춋[.Imcٔ�1\Hk&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��x%˩��gjÏ��9&=u�%Ű>w�&��8� ��D�L� �ap�춋[.Imcٔ�1\Hk&�+�/�,�0̨̩� �� /5� w �+3&$ ��G�=ܫ?\�D8K��r�&k��l��_�g Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8498497011949535, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "f1dcc47e01e41e65547adcfefc8a0053", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003x%\u02e9\u001a\ufffd\ufffdgj\u00cf\ufffd\ufffd\b9&\u0012=u\ufffd%\u0170>\u0016w\ufffd&\ufffd\ufffd8\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdL\ufffd\r\ufffda\u001fp\ufffd\ucd8b[\u0011.Im\u0013c\u0654\ufffd1\\Hk\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003x%\u02e9\u001a\ufffd\ufffdgj\u00cf\ufffd\ufffd\b9&\u0012=u\ufffd%\u0170>\u0016w\ufffd&\ufffd\ufffd8\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdL\ufffd\r\ufffda\u001fp\ufffd\ucd8b[\u0011.Im\u0013c\u0654\ufffd1\\Hk\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdG\ufffd=\u072b?\\\ufffdD8K\ufffd\ufffdr\ufffd&k\ufffd\u001f\ufffdl\ufffd\u001f\ufffd\ufffd_\ufffd\u0012g", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003x%\u02e9\u001a\ufffd\ufffdgj\u00cf\ufffd\ufffd\b9&\u0012=u\ufffd%\u0170>\u0016w\ufffd&\ufffd\ufffd8\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdL\ufffd\r\ufffda\u001fp\ufffd\ucd8b[\u0011.Im\u0013c\u0654\ufffd1\\Hk\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003x%\u02e9\u001a\ufffd\ufffdgj\u00cf\ufffd\ufffd\b9&\u0012=u\ufffd%\u0170>\u0016w\ufffd&\ufffd\ufffd8\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdL\ufffd\r\ufffda\u001fp\ufffd\ucd8b[\u0011.Im\u0013c\u0654\ufffd1\\Hk\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdG\ufffd=\u072b?\\\ufffdD8K\ufffd\ufffdr\ufffd&k\ufffd\u001f\ufffdl\ufffd\u001f\ufffd\ufffd_\ufffd\u0012g", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003x%\u02e9\u001a\ufffd\ufffdgj\u00cf\ufffd\ufffd\b9&\u0012=u\ufffd%\u0170>\u0016w\ufffd&\ufffd\ufffd8\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdL\ufffd\r\ufffda\u001fp\ufffd\ucd8b[\u0011.Im\u0013c\u0654\ufffd1\\Hk\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "48b3ada88b931f11f0f84f7fcebc14582ac4ca6e", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Sonde fichier configuration	Élevée	Élevé · 70
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/config.php Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/config.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20100101 Firefox/4.2a1pre Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/config.php HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20100101 Fir Requête brute (extrait) GET /api/config.php HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20100101 Firefox/4.2a1pre Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "1609cb7afc4818ecfa4fd09f4a99f4b7f89776de", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "514e7d3a4a3b92e1be2515643df9985485409f7e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.277812860614269, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.3, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dffbcaaaf3598bcf853059c4882e76ebe6567846", "event_fingerprint": "cfcc52ed9fa730ceaa06553d97ccc4779830162d", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f7bf7e48d3f63c5e0e8476feb345376", "payload_hash": "b10e7030fe05089d2a5607480a0d37d5", "path_pattern_hash": "b207f8075f9179f23f0d3550b27348d0" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Fir", "method": "GET", "path": "\/api\/config.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/config.php HTTP\/1.1", "request_sample": "GET \/api\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Fir", "evidence": { "method": "GET", "path": "\/api\/config.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/config.php HTTP\/1.1", "request_sample": "GET \/api\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Fir", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4747991da2e42a4f43ba3ab8cd4a49b8c7b06634", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��A�6�;�j:Q�!t7�H��~1�? 5�ͽ�g��U ��e~��[��nBV�?Y&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��A�6�;�j:Q�!t7�H��~1�? 5�ͽ�g ��U ��e~��[��nBV�?Y&�+�/�,�0̨̩� �� /5� w �+3&$ �WL6#��5��c)��:��$��o��r��n�Q� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.848041318326633, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "790caaa252a0785d9163476382f86835", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd6\ufffd\u0017;\u0016\ufffd\u0016j:\u0005Q\u0016\u001e\ufffd!\u0007t\u00067\ufffdH\u0014\ufffd\ufffd\ufffd~1\ufffd? 5\ufffd\u037d\ufffdg\u000b\ufffd\u0019\ufffdU \ufffd\u0012\ufffde\u0011~\ufffd\ufffd\u0007[\ufffd\ufffdnBV\ufffd?Y\b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd6\ufffd\u0017;\u0016\ufffd\u0016j:\u0005Q\u0016\u001e\ufffd!\u0007t\u00067\ufffdH\u0014\ufffd\ufffd\ufffd~1\ufffd? 5\ufffd\u037d\ufffdg\u000b\ufffd\u0019\ufffdU \ufffd\u0012\ufffde\u0011~\ufffd\ufffd\u0007[\ufffd\ufffdnBV\ufffd?Y\b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdWL6\u001c#\ufffd\ufffd5\ufffd\ufffdc)\ufffd\ufffd:\ufffd\ufffd$\ufffd\ufffdo\ufffd\ufffdr\ufffd\ufffdn\ufffdQ\ufffd\u0017", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd6\ufffd\u0017;\u0016\ufffd\u0016j:\u0005Q\u0016\u001e\ufffd!\u0007t\u00067\ufffdH\u0014\ufffd\ufffd\ufffd~1\ufffd? 5\ufffd\u037d\ufffdg\u000b\ufffd\u0019\ufffdU \ufffd\u0012\ufffde\u0011~\ufffd\ufffd\u0007[\ufffd\ufffdnBV\ufffd?Y\b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd6\ufffd\u0017;\u0016\ufffd\u0016j:\u0005Q\u0016\u001e\ufffd!\u0007t\u00067\ufffdH\u0014\ufffd\ufffd\ufffd~1\ufffd? 5\ufffd\u037d\ufffdg\u000b\ufffd\u0019\ufffdU \ufffd\u0012\ufffde\u0011~\ufffd\ufffd\u0007[\ufffd\ufffdnBV\ufffd?Y\b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdWL6\u001c#\ufffd\ufffd5\ufffd\ufffdc)\ufffd\ufffd:\ufffd\ufffd$\ufffd\ufffdo\ufffd\ufffdr\ufffd\ufffdn\ufffdQ\ufffd\u0017", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd6\ufffd\u0017;\u0016\ufffd\u0016j:\u0005Q\u0016\u001e\ufffd!\u0007t\u00067\ufffdH\u0014\ufffd\ufffd\ufffd~1\ufffd? 5\ufffd\u037d\ufffdg\u000b\ufffd\u0019\ufffdU \ufffd\u0012\ufffde\u0011~\ufffd\ufffd\u0007[\ufffd\ufffdnBV\ufffd?Y\b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "60101dea49b65e61c6a2a3c747b4a52a8be4daa6", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /db.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /db.yml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /db.yml HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /db.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605. Requête brute (extrait) GET /db.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "4111832ebe3597af454ce590f312702dd158237e", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "8902f884055e10d44369da2658f0c5c16f0a2505", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.408004047137836, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "899eee33290db54b7be0e362049a6d9e9fea0c66", "event_fingerprint": "7fdcf280c09d46388c8e20d40033d974cea760c3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fce8b2c5fa067b854db8ca48c513daa0", "payload_hash": "8d3d45802562bbce589a11752ab591a0", "path_pattern_hash": "1ea006ee48389b77472d9725b6423822" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/db.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.", "method": "GET", "path": "\/db.yml", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/db.yml HTTP\/1.1", "request_sample": "GET \/db.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/db.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.", "evidence": { "method": "GET", "path": "\/db.yml", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/db.yml HTTP\/1.1", "request_sample": "GET \/db.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/db.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ab8da4b9f989e44978f1bacc619a9a5349e21cfd", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /credentials.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /credentials.yml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /credentials.yml HTTP/1.1` User-Agent Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 SeaMonkey/2.35 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /credentials.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/3 Requête brute (extrait) GET /credentials.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 SeaMonkey/2.35 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "1f69c22c1d5ce0976451c643172bc451fba0d85d", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "bca7eb2dd7c561aea984af03495412686a40d9aa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.290167509070587, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 92, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 67, "tag_count": 4, "anomaly_count": 0, "campaign_key": "38d7ab751c4e463feff560b266f113d9200cbeb5", "event_fingerprint": "fd82033ee422df5847ec39cb22946e3e4d204380", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3c9fca5e9d09253956ec994cf0f7558f", "payload_hash": "064ef3387b230245bdf3f7c57d28ea3c", "path_pattern_hash": "8776284d37d929f9b9b86a48075edcd0" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/credentials.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/3", "method": "GET", "path": "\/credentials.yml", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0 SeaMonkey\/2.35", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/credentials.yml HTTP\/1.1", "request_sample": "GET \/credentials.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0 SeaMonkey\/2.35\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/credentials.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/3", "evidence": { "method": "GET", "path": "\/credentials.yml", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0 SeaMonkey\/2.35", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/credentials.yml HTTP\/1.1", "request_sample": "GET \/credentials.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0 SeaMonkey\/2.35\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/credentials.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "99071054744ef5f56a4c9765661a56fb4ffc26d8", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��>��S� ��i��&U��2�ێK�a�L� ��&,ρ��K��n�<��$�!&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��>��S� ��i��&U��2�ێK�a�L� ��&,ρ��K��n�<��$�!&�+�/�,�0̨̩� �� /5� w �+3&$ �<�V��ߜ��#��j4��v<��H Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.796825771423769, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "40a91d30e41406af6030062944b10453", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffd\ufffd\ufffdS\ufffd\r\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd&U\ufffd\ufffd2\ufffd\u06ceK\ufffda\u001e\ufffd\u0015L\ufffd \t\ufffd\ufffd&,\u03c1\ufffd\ufffd\u001c\ufffdK\u001c\ufffd\u001c\u0001\ufffd\ufffd\ufffdn\ufffd<\ufffd\u0019\ufffd\ufffd\ufffd\ufffd$\ufffd\u0005!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffd\ufffd\ufffdS\ufffd\r\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd&U\ufffd\ufffd2\ufffd\u06ceK\ufffda\u001e\ufffd\u0015L\ufffd \t\ufffd\ufffd&,\u03c1\ufffd\ufffd\u001c\ufffdK\u001c\ufffd\u001c\u0001\ufffd\ufffd\ufffdn\ufffd<\ufffd\u0019\ufffd\ufffd\ufffd\ufffd$\ufffd\u0005!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd<\ufffdV\ufffd\ufffd\u0002\ufffd\ufffd\u07dc\ufffd\ufffd#\u001a\ufffd\ufffdj4\ufffd\ufffd\ufffd\ufffd\ufffdv<\ufffd\ufffd\ufffdH\u000f", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffd\ufffd\ufffdS\ufffd\r\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd&U\ufffd\ufffd2\ufffd\u06ceK\ufffda\u001e\ufffd\u0015L\ufffd \t\ufffd\ufffd&,\u03c1\ufffd\ufffd\u001c\ufffdK\u001c\ufffd\u001c\u0001\ufffd\ufffd\ufffdn\ufffd<\ufffd\u0019\ufffd\ufffd\ufffd\ufffd$\ufffd\u0005!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffd\ufffd\ufffdS\ufffd\r\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd&U\ufffd\ufffd2\ufffd\u06ceK\ufffda\u001e\ufffd\u0015L\ufffd \t\ufffd\ufffd&,\u03c1\ufffd\ufffd\u001c\ufffdK\u001c\ufffd\u001c\u0001\ufffd\ufffd\ufffdn\ufffd<\ufffd\u0019\ufffd\ufffd\ufffd\ufffd$\ufffd\u0005!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd<\ufffdV\ufffd\ufffd\u0002\ufffd\ufffd\u07dc\ufffd\ufffd#\u001a\ufffd\ufffdj4\ufffd\ufffd\ufffd\ufffd\ufffdv<\ufffd\ufffd\ufffdH\u000f", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffd\ufffd\ufffdS\ufffd\r\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd&U\ufffd\ufffd2\ufffd\u06ceK\ufffda\u001e\ufffd\u0015L\ufffd \t\ufffd\ufffd&,\u03c1\ufffd\ufffd\u001c\ufffdK\u001c\ufffd\u001c\u0001\ufffd\ufffd\ufffdn\ufffd<\ufffd\u0019\ufffd\ufffd\ufffd\ufffd$\ufffd\u0005!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6c8603b03399047343b963057238c6d9879ca467", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 7 Recommandation Investiguer Tags 950326:rce-0 http_metasploit_ua net_flood Cible HTTP GET /keys.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /keys.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /keys.json HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800 Règles WAF rce-0 Payload (extrait) GET /keys.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800 Requête brute (extrait) GET /keys.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "26af3f474502b6ee6974e1ecd11c9f00f48ffd48", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "c3ac892564a71141581a4e5efe8d4174457be60d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 197, "payload_entropy": 5.331844194470788, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 36, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 4.9, "risk_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 68, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71aa9c29fcc12cd25777e69031e1a9e5b0c4c6de", "event_fingerprint": "1e3ec76224ef9e01ce0a35baf2e7687425d37696", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6abf26095f94f80be82043d407fbb555", "payload_hash": "0c0f7f7b73bf9f1297ca7894d82128aa", "path_pattern_hash": "ac1c8497c117520986c9f2f44ae6cfa7" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800", "method": "GET", "path": "\/keys.json", "user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800", "waf_tags": [ "950326:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "GET \/keys.json HTTP\/1.1", "request_sample": "GET \/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800", "evidence": { "method": "GET", "path": "\/keys.json", "user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800", "waf_tags": [ "950326:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "GET \/keys.json HTTP\/1.1", "request_sample": "GET \/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2d68b56758edfd93ec28afadf2133dd9a15c2ab5", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "http_metasploit_ua", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /api_keys.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api_keys.yml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api_keys.yml HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /api_keys.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWeb Requête brute (extrait) GET /api_keys.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "3a9bcdd3dc2905bd8ddd2bff52683409793493aa", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "b1b0ece8c60b688b45eb0e1d24e20b9eba285b7f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.389393786513019, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "899eee33290db54b7be0e362049a6d9e9fea0c66", "event_fingerprint": "89c52153e4427cb6d7a954ffa375b4d4afa0fa55", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "577b9f58c4e51138d6e0cd22cf64da14", "payload_hash": "fb5d6a8b45581f2fda614787a916670f", "path_pattern_hash": "5ca9a05c1d66736244e2d5f5eca525aa" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api_keys.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWeb", "method": "GET", "path": "\/api_keys.yml", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D60 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/api_keys.yml HTTP\/1.1", "request_sample": "GET \/api_keys.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D60 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/api_keys.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWeb", "evidence": { "method": "GET", "path": "\/api_keys.yml", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D60 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/api_keys.yml HTTP\/1.1", "request_sample": "GET \/api_keys.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D60 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/api_keys.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWeb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9f469a9ba82022aa59c009a627d9addf20c4aa04", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /db.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /db.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /db.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 2.2; en-us; Droid Build/FRG22D) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /db.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Droid Build/FRG22D) AppleWe Requête brute (extrait) GET /db.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Droid Build/FRG22D) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "e6e6f1a40b7ab3bfb5ec8ac6fc82910ab9af46f3", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "47618fdbcf9ecf5f0f0b812f27dd0a99e70be33b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.3895903279050055, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "899eee33290db54b7be0e362049a6d9e9fea0c66", "event_fingerprint": "611b5bbb608b50dab7c7ab689abbb7950328bc67", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ac75ec6b3d89b65d03b6493aea5f1b4b", "payload_hash": "9bbc01740265fba949df470f2d68be96", "path_pattern_hash": "d53ec0e591dd049d89b7330804ee0a04" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/db.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWe", "method": "GET", "path": "\/db.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/db.json HTTP\/1.1", "request_sample": "GET \/db.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/db.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWe", "evidence": { "method": "GET", "path": "\/db.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/db.json HTTP\/1.1", "request_sample": "GET \/db.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/db.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWe", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "59fbfdd479bd459a7a8a63c21c0880c10110501b", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��FF�yY⏸��x�XA��͡49P46g3p- t�\F��!l��ԙg��n�A3XF��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��FF�yY⏸��x�XA��͡49P46g3p- t�\F��!l��ԙg��n�A3XF��&�+�/�,�0̨̩� �� /5� w �+3&$ � ݦy11H�8�;��䍀z)U�T�/VP� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.874071815414702, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "59ac843b9a4cc301bb53194024da8465", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003FF\ufffdyY\u23f8\ufffd\ufffd\ufffdx\ufffdXA\ufffd\ufffd\ufffd\u0361\u001049P4\u00036g3p- t\ufffd\\F\ufffd\ufffd!l\ufffd\ufffd\ufffd\u0519g\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffdn\ufffdA3X\u001d\u001eF\ufffd\u0002\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003FF\ufffdyY\u23f8\ufffd\ufffd\ufffdx\ufffdXA\ufffd\ufffd\ufffd\u0361\u001049P4\u00036g3p- t\ufffd\\F\ufffd\ufffd!l\ufffd\ufffd\ufffd\u0519g\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffdn\ufffdA3X\u001d\u001eF\ufffd\u0002\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\t\u0766y11H\ufffd8\ufffd\u037e\ufffd\ufffd\u4340z)U\u0019\ufffd\u0018T\ufffd\/VP\ufffd\u0014", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003FF\ufffdyY\u23f8\ufffd\ufffd\ufffdx\ufffdXA\ufffd\ufffd\ufffd\u0361\u001049P4\u00036g3p- t\ufffd\\F\ufffd\ufffd!l\ufffd\ufffd\ufffd\u0519g\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffdn\ufffdA3X\u001d\u001eF\ufffd\u0002\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003FF\ufffdyY\u23f8\ufffd\ufffd\ufffdx\ufffdXA\ufffd\ufffd\ufffd\u0361\u001049P4\u00036g3p- t\ufffd\\F\ufffd\ufffd!l\ufffd\ufffd\ufffd\u0519g\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffdn\ufffdA3X\u001d\u001eF\ufffd\u0002\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\t\u0766y11H\ufffd8\ufffd\u037e\ufffd\ufffd\u4340z)U\u0019\ufffd\u0018T\ufffd\/VP\ufffd\u0014", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003FF\ufffdyY\u23f8\ufffd\ufffd\ufffdx\ufffdXA\ufffd\ufffd\ufffd\u0361\u001049P4\u00036g3p- t\ufffd\\F\ufffd\ufffd!l\ufffd\ufffd\ufffd\u0519g\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffdn\ufffdA3X\u001d\u001eF\ufffd\u0002\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "01866587e0705d7cc1493bebad0e65947d4e17a8", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 71
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/config.yml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/config.yml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/config.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537 Requête brute (extrait) GET /api/config.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "a462c8ab92e25e3b7d82632b0b39076a5905cb5c", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "4744e451f0e5837e40fea15eeae656c670359c61", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.423774726261376, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b6385f0d3ef331fcb574f3f8ea2b2239cb412176", "event_fingerprint": "3cad85c34ee31841cdbfff9aace5d61374dc29d8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "aa4bf7c6e91118abdcf9d37d0508a2b7", "payload_hash": "58e902b7a43da7a3ae2819abdd49d9eb", "path_pattern_hash": "1d6a542ea609410a54ba728eccda5c8b" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537", "method": "GET", "path": "\/api\/config.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/config.yml HTTP\/1.1", "request_sample": "GET \/api\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/api\/config.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/config.yml HTTP\/1.1", "request_sample": "GET \/api\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "091c43c808ef4951155f74af00b9af84bdd6e2e9", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 71
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/secrets.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/secrets.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/secrets.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/secrets.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/ Requête brute (extrait) GET /api/secrets.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "67cd2aa88754575f856c2edf38d4b5159963a959", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "675d01a5474244566ef1d5a82ce40d38f67dbb45", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.368742708422087, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.3, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 7, "anomaly_count": 0, "campaign_key": "f1be6616279859b1fc848e2d60c0fa1b58e6fe76", "event_fingerprint": "b5c8254f813714ce9bfaa3e6cc0649597d2982aa", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "57322d07efe3c4afc6e4b5dae3823bbb", "payload_hash": "e09599404007ea5e657cb88b1d6b582e", "path_pattern_hash": "b53eff7db028e03bf33970251ded1001" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/", "method": "GET", "path": "\/api\/secrets.json", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/secrets.json HTTP\/1.1", "request_sample": "GET \/api\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/api\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/api\/secrets.json", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/secrets.json HTTP\/1.1", "request_sample": "GET \/api\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/api\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8c1189585b8a548df5d728383d3e0162c72f1b64", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_k8s_probe", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��/<Cc��N��;JM��bb��m0 �� ?\| y%;�8]��S�Pbr7 �ɛ�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��/<Cc��N��;JM��bb��m0 �� ?\| y%;�8]��S�Pbr7 �ɛ�&�+�/�,�0̨̩� �� /5� w �+3&$ Ijk�q��6`ZN�)յϤb��O^F�À�G Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.854188186856659, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "60f543518991e7909290d70ccc9bcc98", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001a\/<Cc\ufffd\ufffd\u001bN\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd;J\u000fM\ufffd\u0003\ufffdbb\ufffd\u001b\ufffdm0 \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd?\|\u0006 y%;\ufffd8]\ufffd\ufffdS\ufffdPbr7\u001f\n\ufffd\u025b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001a\/<Cc\ufffd\ufffd\u001bN\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd;J\u000fM\ufffd\u0003\ufffdbb\ufffd\u001b\ufffdm0 \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd?\|\u0006 y%;\ufffd8]\ufffd\ufffdS\ufffdPbr7\u001f\n\ufffd\u025b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u000eIj\u0016k\ufffdq\ufffd\ufffd6`ZN\ufffd)\u0575\u03e4b\ufffd\ufffdO^\u001eF\ufffd\u00c0\ufffdG", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001a\/<Cc\ufffd\ufffd\u001bN\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd;J\u000fM\ufffd\u0003\ufffdbb\ufffd\u001b\ufffdm0 \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd?\|\u0006 y%;\ufffd8]\ufffd\ufffdS\ufffdPbr7\u001f\n\ufffd\u025b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001a\/<Cc\ufffd\ufffd\u001bN\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd;J\u000fM\ufffd\u0003\ufffdbb\ufffd\u001b\ufffdm0 \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd?\|\u0006 y%;\ufffd8]\ufffd\ufffdS\ufffdPbr7\u001f\n\ufffd\u025b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u000eIj\u0016k\ufffdq\ufffd\ufffd6`ZN\ufffd)\u0575\u03e4b\ufffd\ufffdO^\u001eF\ufffd\u00c0\ufffdG", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001a\/<Cc\ufffd\ufffd\u001bN\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd;J\u000fM\ufffd\u0003\ufffdbb\ufffd\u001b\ufffdm0 \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd?\|\u0006 y%;\ufffd8]\ufffd\ufffdS\ufffdPbr7\u001f\n\ufffd\u025b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e7b2ff48d5facdf2a89dd562fb7120a226f277d3", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /credentials.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /credentials.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /credentials.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /credentials.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/53 Requête brute (extrait) GET /credentials.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "55e57b9dd5237e541d5335b9f5de52f0584f82cd", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "52ce12cd9608e2aaf265869963eb9ccc97689fda", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.396211299896203, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f232e17feb7cd27e909ee36127e4e95c42c85033", "event_fingerprint": "2df63002dd2b4e428bf187078321e04b81a9c633", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "118d225aed6df47619a7d3ac51f21a22", "payload_hash": "45e99693e13b26ea8daa04702d759c11", "path_pattern_hash": "2c897236c88b33a0e02927235471c8c3" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/53", "method": "GET", "path": "\/credentials.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1944.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/credentials.json HTTP\/1.1", "request_sample": "GET \/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1944.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/credentials.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1944.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/credentials.json HTTP\/1.1", "request_sample": "GET \/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1944.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/53", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c91cbe742bc72c2a823e41df8e399b3941e6e800", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_k8s_probe net_flood Cible HTTP GET /secrets.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /secrets.yaml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /secrets.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML like Gecko) Maxthon/4.0.0.2000 Chrome/22.0.1229.79 Safari/537.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /secrets.yaml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML like Requête brute (extrait) GET /secrets.yaml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML like Gecko) Maxthon/4.0.0.2000 Chrome/22.0.1229.79 Safari/537.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "01598dc831cf10ebdee7ca57e3270c55d78fcb97", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "bed465ef7b10319d6adf1a5770456b92d16890b0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.407170568880222, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d7102166650cb2d1612fd14a6d7cfb67c7c492cc", "event_fingerprint": "5b50617b20e27f56badab3ae2d65a07576bceaad", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "52ba95047eaa23df0f7bdeeeb3fb8391", "payload_hash": "355e04c2e531086e20adf9a84c837d4c", "path_pattern_hash": "48d0edff0af203e37d12a3776eddc53f" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/secrets.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML like", "method": "GET", "path": "\/secrets.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML like Gecko) Maxthon\/4.0.0.2000 Chrome\/22.0.1229.79 Safari\/537.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.yaml HTTP\/1.1", "request_sample": "GET \/secrets.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML like Gecko) Maxthon\/4.0.0.2000 Chrome\/22.0.1229.79 Safari\/537.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/secrets.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML like", "evidence": { "method": "GET", "path": "\/secrets.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML like Gecko) Maxthon\/4.0.0.2000 Chrome\/22.0.1229.79 Safari\/537.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.yaml HTTP\/1.1", "request_sample": "GET \/secrets.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML like Gecko) Maxthon\/4.0.0.2000 Chrome\/22.0.1229.79 Safari\/537.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/secrets.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML like", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "46fad2f9bffc714d9b9bfcde47894f4f9c38b315", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_k8s_probe", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��m�M�?7yJ��uʒ�N�;�b� ,��S؉��5�f�Z�.��ר�C��eA`'�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��m�M�?7yJ��uʒ�N�;�b� ,��S؉��5�f�Z�.��ר�C��eA`'�&�+�/�,�0̨̩� �� /5� w �+3&$ O,:i�T�x�@�Vv��܊#��!�I�]��s Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.9205107979474985, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "ff41f685cab7e2a139ac1a96b4812b18", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdm\ufffdM\ufffd?7y\u0004J\ufffd\u001f\u0012\ufffd\u000e\ufffd\ufffd\u001du\u0292\ufffdN\ufffd;\ufffdb\ufffd\u000f\u0012\u0018 \u0001,\ufffd\ufffdS\u0609\ufffd\ufffd5\ufffdf\ufffdZ\ufffd.\ufffd\ufffd\u05e8\ufffdC\ufffd\ufffd\u001deA`'\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdm\ufffdM\ufffd?7y\u0004J\ufffd\u001f\u0012\ufffd\u000e\ufffd\ufffd\u001du\u0292\ufffdN\ufffd;\ufffdb\ufffd\u000f\u0012\u0018 \u0001,\ufffd\ufffdS\u0609\ufffd\ufffd5\ufffdf\ufffdZ\ufffd.\ufffd\ufffd\u05e8\ufffdC\ufffd\ufffd\u001deA`'\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 O,:i\u0006\ufffdT\ufffdx\ufffd@\ufffdVv\u0017\ufffd\ufffd\ufffd\u070a#\ufffd\ufffd\ufffd!\ufffdI\ufffd]\ufffd\ufffds", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdm\ufffdM\ufffd?7y\u0004J\ufffd\u001f\u0012\ufffd\u000e\ufffd\ufffd\u001du\u0292\ufffdN\ufffd;\ufffdb\ufffd\u000f\u0012\u0018 \u0001,\ufffd\ufffdS\u0609\ufffd\ufffd5\ufffdf\ufffdZ\ufffd.\ufffd\ufffd\u05e8\ufffdC\ufffd\ufffd\u001deA`'\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdm\ufffdM\ufffd?7y\u0004J\ufffd\u001f\u0012\ufffd\u000e\ufffd\ufffd\u001du\u0292\ufffdN\ufffd;\ufffdb\ufffd\u000f\u0012\u0018 \u0001,\ufffd\ufffdS\u0609\ufffd\ufffd5\ufffdf\ufffdZ\ufffd.\ufffd\ufffd\u05e8\ufffdC\ufffd\ufffd\u001deA`'\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 O,:i\u0006\ufffdT\ufffdx\ufffd@\ufffdVv\u0017\ufffd\ufffd\ufffd\u070a#\ufffd\ufffd\ufffd!\ufffdI\ufffd]\ufffd\ufffds", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdm\ufffdM\ufffd?7y\u0004J\ufffd\u001f\u0012\ufffd\u000e\ufffd\ufffd\u001du\u0292\ufffdN\ufffd;\ufffdb\ufffd\u000f\u0012\u0018 \u0001,\ufffd\ufffdS\u0609\ufffd\ufffd5\ufffdf\ufffdZ\ufffd.\ufffd\ufffd\u05e8\ufffdC\ufffd\ufffd\u001deA`'\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "159aa0f38e909094f31365ff7a5ab8dc8e4385f8", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 22 Recommandation Investiguer Tags 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/credentials.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/credentials.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/credentials.json HTTP/1.1` User-Agent msnbot/0.11 ( http://search.msn.com/msnbot.htm) Règles WAF ssrf-3 nosqli-3 k8s-api Payload (extrait) GET /api/credentials.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: msnbot/0.11 ( http://search.msn.com/msnbot.htm) Accept-C Requête brute (extrait) GET /api/credentials.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: msnbot/0.11 ( http://search.msn.com/msnbot.htm) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "89dd5d41d3d9d67804fa452fc26e0d1854f91e2f", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "bd2b2e522575cf2b6a79434a45baa745a109b7fe", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 187, "payload_entropy": 5.029704918453099, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 96, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 96, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 6, "anomaly_count": 0, "campaign_key": "a7d3649216c04749d5a7533a9c36f5330422ef90", "event_fingerprint": "02fa9538a3d5047890832895348aec20f767e4c3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8f1e26574192b3d2adfdd413095e2a21", "payload_hash": "b184f0930c20bde525f311f884b9f053", "path_pattern_hash": "324ca375a9560f0f0442f12c08f92527" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: msnbot\/0.11 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-C", "method": "GET", "path": "\/api\/credentials.json", "user_agent": "msnbot\/0.11 ( http:\/\/search.msn.com\/msnbot.htm)", "waf_tags": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "ssrf-3", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/credentials.json HTTP\/1.1", "request_sample": "GET \/api\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: msnbot\/0.11 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: msnbot\/0.11 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-C", "evidence": { "method": "GET", "path": "\/api\/credentials.json", "user_agent": "msnbot\/0.11 ( http:\/\/search.msn.com\/msnbot.htm)", "waf_tags": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "ssrf-3", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/credentials.json HTTP\/1.1", "request_sample": "GET \/api\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: msnbot\/0.11 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: msnbot\/0.11 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-C", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e7fb0edd99d138ae8ba988542b0b26d169f47266", "ban_policy": "advisory_investigate", "tags_list": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /secret.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /secret.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /secret.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko/20040614 Firefox/3.0.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /secret.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko/ Requête brute (extrait) GET /secret.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko/20040614 Firefox/3.0.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "5183b59b571299ee1872f519219bf4c67961b483", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "11f90d09ab2be62b71e86ff2300d82bf95914c93", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.249010146885348, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f232e17feb7cd27e909ee36127e4e95c42c85033", "event_fingerprint": "9291bc7790bef64aa81c42cae26b58159d08b912", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b6c9ae6675288a92970bda0849a8ccbb", "payload_hash": "7570b31041a670f2cc2b749bc2bd962b", "path_pattern_hash": "b9a820ca8b2e17563e04a37bc3cb0c35" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/secret.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko\/", "method": "GET", "path": "\/secret.json", "user_agent": "Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko\/20040614 Firefox\/3.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secret.json HTTP\/1.1", "request_sample": "GET \/secret.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko\/20040614 Firefox\/3.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/secret.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko\/", "evidence": { "method": "GET", "path": "\/secret.json", "user_agent": "Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko\/20040614 Firefox\/3.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secret.json HTTP\/1.1", "request_sample": "GET \/secret.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko\/20040614 Firefox\/3.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/secret.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d329fee7f58abdde51c98a8a4a7d2f0797cc7992", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��˦m��K�q�.?�O:<�a�o��A )2��~��[�o� �>��Du�J!��f�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��˦m��K�q�.?�O:<�a�o��A )2��~��[�o� �>��Du�J!��f�&�+�/�,�0̨̩� �� /5� w �+3&$ ��7�u�[k[ �35]�"�(�3+r��;g�! Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.85478769672452, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "918b0b73e2fda2a69929209c950401da", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u000f\u02e6m\ufffd\ufffd\ufffd\ufffdK\ufffdq\ufffd.\u0017?\ufffd\bO:<\ufffda\ufffdo\u0004\ufffd\ufffd\ufffdA )2\ufffd\ufffd~\ufffd\ufffd\ufffd\ufffd[\ufffd\u0012o\ufffd\n\u0017\ufffd>\ufffd\ufffd\u0010Du\ufffdJ!\ufffd\ufffd\ufffdf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u000f\u02e6m\ufffd\ufffd\ufffd\ufffdK\ufffdq\ufffd.\u0017?\ufffd\bO:<\ufffda\ufffdo\u0004\ufffd\ufffd\ufffdA )2\ufffd\ufffd~\ufffd\ufffd\ufffd\ufffd[\ufffd\u0012o\ufffd\n\u0017\ufffd>\ufffd\ufffd\u0010Du\ufffdJ!\ufffd\ufffd\ufffdf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd7\ufffd\u001eu\ufffd[k[\f\ufffd35]\ufffd\"\u0018\ufffd(\ufffd3+r\ufffd\ufffd\ufffd\ufffd;g\ufffd!", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u000f\u02e6m\ufffd\ufffd\ufffd\ufffdK\ufffdq\ufffd.\u0017?\ufffd\bO:<\ufffda\ufffdo\u0004\ufffd\ufffd\ufffdA )2\ufffd\ufffd~\ufffd\ufffd\ufffd\ufffd[\ufffd\u0012o\ufffd\n\u0017\ufffd>\ufffd\ufffd\u0010Du\ufffdJ!\ufffd\ufffd\ufffdf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u000f\u02e6m\ufffd\ufffd\ufffd\ufffdK\ufffdq\ufffd.\u0017?\ufffd\bO:<\ufffda\ufffdo\u0004\ufffd\ufffd\ufffdA )2\ufffd\ufffd~\ufffd\ufffd\ufffd\ufffd[\ufffd\u0012o\ufffd\n\u0017\ufffd>\ufffd\ufffd\u0010Du\ufffdJ!\ufffd\ufffd\ufffdf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd7\ufffd\u001eu\ufffd[k[\f\ufffd35]\ufffd\"\u0018\ufffd(\ufffd3+r\ufffd\ufffd\ufffd\ufffd;g\ufffd!", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u000f\u02e6m\ufffd\ufffd\ufffd\ufffdK\ufffdq\ufffd.\u0017?\ufffd\bO:<\ufffda\ufffdo\u0004\ufffd\ufffd\ufffdA )2\ufffd\ufffd~\ufffd\ufffd\ufffd\ufffd[\ufffd\u0012o\ufffd\n\u0017\ufffd>\ufffd\ufffd\u0010Du\ufffdJ!\ufffd\ufffd\ufffdf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d4291b31d72dc333dd2f1e336d3ac3b39e926107", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 71
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/settings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/settings.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/settings.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/settings.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/53 Requête brute (extrait) GET /api/settings.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "db8d17a8037deeb666ae7780dd22b987a1507927", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "fbbc2fe6ffa673120e2143579206c207fd9a2f04", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.424031079833316, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b6385f0d3ef331fcb574f3f8ea2b2239cb412176", "event_fingerprint": "44b96d0387ac3386dba338dadb91fa8150f11ce3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "55e79b0731b665179b078f6c2ca76344", "payload_hash": "0f18b18a47e111bb0e56cbb97e61f5c1", "path_pattern_hash": "603fa88b9ea2fe408c03592c8df3f75e" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/53", "method": "GET", "path": "\/api\/settings.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/settings.json HTTP\/1.1", "request_sample": "GET \/api\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/api\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/api\/settings.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/settings.json HTTP\/1.1", "request_sample": "GET \/api\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/api\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/53", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1aa94adac017e16f7a2eee3906e13d83282f0dc5", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 71
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/parameters.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/parameters.yml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/parameters.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/parameters.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touc Requête brute (extrait) GET /api/parameters.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Accept-Charset: utf-8 Accept-Enco Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "d7524cb8f6bca20d6e635bf54e6b08baad462745", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "7911dc65ded0ff04acb5097887faf07b57d9f3ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 289, "payload_entropy": 5.4025563432563715, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 6, "anomaly_count": 0, "campaign_key": "3473deb14a54fa325258202fd0e574b47016a699", "event_fingerprint": "30c4639661f4bd0b8bfb51dd516e13ab9197f9c8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1a12f49730945b9c394ae9871edf3a4f", "payload_hash": "16be9b0fd4ba093ba5b81d6327c70cd4", "path_pattern_hash": "25d742602b46e959c7961a08265c9c47" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touc", "method": "GET", "path": "\/api\/parameters.yml", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/parameters.yml HTTP\/1.1", "request_sample": "GET \/api\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Enco", "payload_snippet": "GET \/api\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touc", "evidence": { "method": "GET", "path": "\/api\/parameters.yml", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/parameters.yml HTTP\/1.1", "request_sample": "GET \/api\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Enco", "payload_snippet": "GET \/api\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touc", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ff4ecc6bb298c2654c4efb84b8ecf2d28d4e2707", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��Y��;j��cd��G��H#�]҂ ;OtbV�Λ#Q�d�>��3�?�R��j�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Y��;j��cd��G��H#�]҂ ;OtbV�Λ#Q�d�>��3�?�R��j�&�+�/�,�0̨̩� �� /5� w �+3&$ ��s&�=I�5!�5�LZ�A��ݻ�b�V�U Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.848052616555883, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "bf20ad9be76674bb8171726c4d2331bd", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdY\ufffd\ufffd\u001b;j\u0004\ufffd\ufffd\u0019\ufffdcd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffdH\b#\ufffd]\u0482 \u037eOtbV\ufffd\u039b#Q\ufffdd\ufffd>\ufffd\ufffd3\ufffd?\ufffd\u0000R\ufffd\ufffd\u000e\ufffdj\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdY\ufffd\ufffd\u001b;j\u0004\ufffd\ufffd\u0019\ufffdcd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffdH\b#\ufffd]\u0482 \u037eOtbV\ufffd\u039b#Q\ufffdd\ufffd>\ufffd\ufffd3\ufffd?\ufffd\u0000R\ufffd\ufffd\u000e\ufffdj\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0019\ufffd\ufffds&\ufffd=I\ufffd5\u001e!\ufffd5\ufffdLZ\ufffdA\ufffd\ufffd\u077b\ufffdb\u0004\ufffdV\ufffdU", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdY\ufffd\ufffd\u001b;j\u0004\ufffd\ufffd\u0019\ufffdcd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffdH\b#\ufffd]\u0482 \u037eOtbV\ufffd\u039b#Q\ufffdd\ufffd>\ufffd\ufffd3\ufffd?\ufffd\u0000R\ufffd\ufffd\u000e\ufffdj\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdY\ufffd\ufffd\u001b;j\u0004\ufffd\ufffd\u0019\ufffdcd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffdH\b#\ufffd]\u0482 \u037eOtbV\ufffd\u039b#Q\ufffdd\ufffd>\ufffd\ufffd3\ufffd?\ufffd\u0000R\ufffd\ufffd\u000e\ufffdj\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0019\ufffd\ufffds&\ufffd=I\ufffd5\u001e!\ufffd5\ufffdLZ\ufffdA\ufffd\ufffd\u077b\ufffdb\u0004\ufffdV\ufffdU", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdY\ufffd\ufffd\u001b;j\u0004\ufffd\ufffd\u0019\ufffdcd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffdH\b#\ufffd]\u0482 \u037eOtbV\ufffd\u039b#Q\ufffd*d\ufffd>\ufffd\ufffd3\ufffd?\ufffd\u0000R\ufffd\ufffd\u000e\ufffdj\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ee2f5e37b6bb920c95eaaad18b81ecf3a315e71a", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��]�� Fٜm�s��/��0�Cˊ<�b44� ��=�c��0 �U��S��0�h�ߞ�[\|�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��]�� Fٜm�s��/��0�Cˊ<�b44� ��=�c��0 �U��S��0�h�ߞ�[\|�&�+�/�,�0̨̩� �� /5� w �+3&$ �yG�L��)��N�}w�g(��E&�� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.834164974635447, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "c27577be48e76c11da06197868075795", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003]\ufffd\ufffd\t\u001c\ufffdF\u065cm\ufffds\ufffd\ufffd\u0015\/\ufffd\ufffd\ufffd0\ufffdC\u02ca<\ufffdb44\u0017\ufffd\u0005 \ufffd\ufffd=\ufffdc\ufffd\ufffd0\r\ufffdU\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffd0\ufffdh\ufffd\u07de\ufffd[\u001f\|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003]\ufffd\ufffd\t\u001c\ufffdF\u065cm\ufffds\ufffd\ufffd\u0015\/\ufffd\ufffd\ufffd0\ufffdC\u02ca<\ufffdb44\u0017\ufffd\u0005 \ufffd\ufffd=\ufffdc\ufffd\ufffd0\r\ufffdU\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffd0\ufffdh\ufffd\u07de\ufffd[\u001f\|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdyG\ufffdL\u0018\ufffd\ufffd)\ufffd\ufffd\u0013\ufffd\u0014N\ufffd}w\ufffdg\u0017(\ufffd\ufffd\ufffdE&\ufffd\ufffd\u0000\ufffd\u0010", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003]\ufffd\ufffd\t\u001c\ufffdF\u065cm\ufffds\ufffd\ufffd\u0015\/\ufffd\ufffd\ufffd0\ufffdC\u02ca<\ufffdb44\u0017\ufffd\u0005 \ufffd\ufffd=\ufffdc\ufffd\ufffd0\r\ufffdU\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffd0\ufffdh\ufffd\u07de\ufffd[\u001f\|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003]\ufffd\ufffd\t\u001c\ufffdF\u065cm\ufffds\ufffd\ufffd\u0015\/\ufffd\ufffd\ufffd0\ufffdC\u02ca<\ufffdb44\u0017\ufffd\u0005 \ufffd\ufffd=\ufffdc\ufffd\ufffd0\r\ufffdU\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffd0\ufffdh\ufffd\u07de\ufffd[\u001f\|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdyG\ufffdL\u0018\ufffd\ufffd)\ufffd\ufffd\u0013\ufffd\u0014N\ufffd}w\ufffdg\u0017(\ufffd\ufffd\ufffdE&\ufffd\ufffd\u0000\ufffd\u0010", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003]\ufffd\ufffd\t\u001c\ufffdF\u065cm\ufffds\ufffd\ufffd\u0015\/\ufffd\ufffd\ufffd0\ufffdC\u02ca<\ufffdb44\u0017\ufffd\u0005 \ufffd\ufffd=\ufffdc\ufffd\ufffd0\r\ufffdU\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffd0\ufffdh\ufffd\u07de\ufffd[\u001f\|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87792d43db1d90f566dcd7f87762274b64e3541c", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 71
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/keys.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/keys.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/keys.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/keys.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /api/keys.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "0b64792790bfe5aae712bab74a5c284677cee5d4", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "84a715d1257e1c7270fd4b5277fc01e018c146dc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.411305093480591, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 6, "anomaly_count": 0, "campaign_key": "3473deb14a54fa325258202fd0e574b47016a699", "event_fingerprint": "bee2bd268f9155c69c4d881243e047cd0c49cc73", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "303d077d9de5f8a596d41b4f0a301373", "payload_hash": "1c625f78ff944eb8a40219125b84b245", "path_pattern_hash": "6d95f93570c4e44d9256855c13ac0e8a" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/api\/keys.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/keys.json HTTP\/1.1", "request_sample": "GET \/api\/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/api\/keys.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/keys.json HTTP\/1.1", "request_sample": "GET \/api\/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1a252ee52dfbf9b2d9e2538d09f362a428de8e6b", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��9܍qL��tKz1��i �e�� y�f�r�;��<�h��0�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� 9 ܍qL��tKz1��i �e�� y�f�r�;��<�h��0�&�+�/�,�0̨̩� �� /5� w �+3&$ vy�4��T7.��7 �� <ݢqwG��>T�{8 Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.87272807368182, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "049a2cc5bd0b38908ade3d862882bbc0", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\f\ufffd\ufffd\ufffd9\f\u070dqL\ufffd\u001d\ufffdtKz\u001c1\ufffd\ufffd\u0015\ufffd\u0012\ufffdi \u001c\u0012\ufffde\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffdy\u001e\ufffdf\ufffdr\ufffd;\ufffd\u0005\ufffd\ufffd<\ufffdh\ufffd\ufffd0\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\f\ufffd\ufffd\ufffd9\f\u070dqL\ufffd\u001d\ufffdtKz\u001c1\ufffd\ufffd\u0015\ufffd\u0012\ufffdi \u001c\u0012\ufffde\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffdy\u001e\ufffdf\ufffdr\ufffd;\ufffd\u0005\ufffd\ufffd<\ufffdh\ufffd\ufffd0\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 vy\ufffd4\ufffd\ufffdT7.\ufffd\ufffd7\f\ufffd\u0014\b\ufffd\f<\u0762qwG\ufffd\ufffd>T\ufffd{8\u0015", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\f\ufffd\ufffd\ufffd9\f\u070dqL\ufffd\u001d\ufffdtKz\u001c1\ufffd\ufffd\u0015\ufffd\u0012\ufffdi \u001c\u0012\ufffde\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffdy\u001e\ufffdf\ufffdr\ufffd;\ufffd\u0005\ufffd\ufffd<\ufffdh\ufffd\ufffd0\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\f\ufffd\ufffd\ufffd9\f\u070dqL\ufffd\u001d\ufffdtKz\u001c1\ufffd\ufffd\u0015\ufffd\u0012\ufffdi \u001c\u0012\ufffde\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffdy\u001e\ufffdf\ufffdr\ufffd;\ufffd\u0005\ufffd\ufffd<\ufffdh\ufffd\ufffd0\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 vy\ufffd4\ufffd\ufffdT7.\ufffd\ufffd7\f\ufffd\u0014\b\ufffd\f<\u0762qwG\ufffd\ufffd>T\ufffd{8\u0015", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\f\ufffd\ufffd\ufffd9\f\u070dqL\ufffd\u001d\ufffdtKz\u001c1\ufffd\ufffd\u0015\ufffd\u0012\ufffdi \u001c\u0012\ufffde\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffdy\u001e\ufffdf*\ufffdr\ufffd;\ufffd\u0005\ufffd\ufffd<\ufffdh\ufffd\ufffd0\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ce6995d2f415ea6fb82db73d26d04d67ca8e0731", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��)Hr.ѧ,��n7�PWg�{m�e�8�O�� H<��&�@��q�K3���S��E`g&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��)Hr.ѧ,��n7�PWg�{m�e�8�O�� H<��&�@��q�K3���S��E`g&�+�/�,�0̨̩� �� /5� w �+3&$ a��j"�s��\|z%�J�jn~�F��&na- Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.806040964800385, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "a930ccb73036bf8d3b891dee125cebf9", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)Hr.\u0467,\ufffd\u0000\ufffd\u0002n7\ufffdPWg\u0015\ufffd{m\ufffde\ufffd8\u0001\ufffdO\ufffd\ufffd\f H<\u001e\ufffd\ufffd\ufffd&\ufffd@\ufffd\u0007\ufffdq\u001a\ufffdK3\ufffd\ufffd\ufffd\u0019\ufffdS\ufffd\u0005\ufffd\u0004E`g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)Hr.\u0467,\ufffd\u0000\ufffd\u0002n7\ufffdPWg\u0015\ufffd{m\ufffde\ufffd8\u0001\ufffdO\ufffd\ufffd\f H<\u001e\ufffd\ufffd\ufffd&\ufffd@\ufffd\u0007\ufffdq\u001a\ufffdK3\ufffd\ufffd\ufffd\u0019\ufffdS\ufffd\u0005\ufffd\u0004E`g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 a\ufffd\ufffdj\"\ufffds\ufffd\ufffd\u001c\|\u0005z\u0004%\ufffd\u0018\u0017J\ufffdjn~\ufffdF\ufffd\ufffd&na-", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)Hr.\u0467,\ufffd\u0000\ufffd\u0002n7\ufffdPWg\u0015\ufffd{m\ufffde\ufffd8\u0001\ufffdO\ufffd\ufffd\f H<\u001e\ufffd\ufffd\ufffd&\ufffd@\ufffd\u0007\ufffdq\u001a\ufffdK3\ufffd\ufffd\ufffd\u0019\ufffdS\ufffd\u0005\ufffd\u0004E`g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)Hr.\u0467,\ufffd\u0000\ufffd\u0002n7\ufffdPWg\u0015\ufffd{m\ufffde\ufffd8\u0001\ufffdO\ufffd\ufffd\f H<\u001e\ufffd\ufffd\ufffd&\ufffd@\ufffd\u0007\ufffdq\u001a\ufffdK3\ufffd\ufffd\ufffd\u0019\ufffdS\ufffd\u0005\ufffd\u0004E`g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 a\ufffd\ufffdj\"\ufffds\ufffd\ufffd\u001c\|\u0005z\u0004%\ufffd\u0018\u0017J\ufffdjn~\ufffdF\ufffd\ufffd&na-", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)Hr.\u0467,\ufffd\u0000\ufffd\u0002n7\ufffdPWg\u0015\ufffd{m\ufffde\ufffd8\u0001\ufffdO\ufffd\ufffd\f H<\u001e\ufffd\ufffd\ufffd&\ufffd@\ufffd\u0007\ufffdq\u001a\ufffdK3\ufffd\ufffd\ufffd\u0019*\ufffdS\ufffd\u0005\ufffd\u0004E`g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "309c691926dea498f8cb2b36b066f4ce3dd6df3b", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��Ga��<�E��k��4"o�7��NK�x剮� q� ��O�!� o1"<T��/\|l�u��6��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Ga��<�E��k��4"o�7��NK�x剮� q� ��O�!� o1"<T��/\|l�u��6��&�+�/�,�0̨̩� �� /5� w �+3&$ �o��:�� :9��q�]Ȣ�%��8��)\ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.872552994267734, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "31a1696f92cdb55122ece8a1c7016cfd", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Ga\ufffd\ufffd<\ufffdE\ufffd\ufffdk\ufffd\ufffd\ufffd4\"o\ufffd7\ufffd\ufffdN\bK\ufffdx\u526e\ufffd\rq\ufffd \ufffd\ufffd\u0002O\u0017\ufffd!\ufffd\to1\u0004\"<T\ufffd\ufffd\u0004\/\|l\ufffdu\ufffd\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Ga\ufffd\ufffd<\ufffdE\ufffd\ufffdk\ufffd\ufffd\ufffd4\"o\ufffd7\ufffd\ufffdN\bK\ufffdx\u526e\ufffd\rq\ufffd \ufffd\ufffd\u0002O\u0017\ufffd!\ufffd\to1\u0004\"<T\ufffd\ufffd\u0004\/\|l\ufffdu\ufffd\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0011o\ufffd\ufffd\ufffd:\ufffd\ufffd\u000b:9\ufffd\ufffd\ufffdq\ufffd]\u0222\ufffd%\ufffd\ufffd\ufffd8\u001b\ufffd\ufffd\b)\\", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Ga\ufffd\ufffd<\ufffdE\ufffd\ufffdk\ufffd\ufffd\ufffd4\"o\ufffd7\ufffd\ufffdN\bK\ufffdx\u526e\ufffd\rq\ufffd \ufffd\ufffd\u0002O\u0017\ufffd!\ufffd\to1\u0004\"<T\ufffd\ufffd\u0004\/\|l\ufffdu\ufffd\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Ga\ufffd\ufffd<\ufffdE\ufffd\ufffdk\ufffd\ufffd\ufffd4\"o\ufffd7\ufffd\ufffdN\bK\ufffdx\u526e\ufffd\rq\ufffd \ufffd\ufffd\u0002O\u0017\ufffd!\ufffd\to1\u0004\"<T\ufffd\ufffd\u0004\/\|l\ufffdu\ufffd\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0011o\ufffd\ufffd\ufffd:\ufffd\ufffd\u000b:9\ufffd\ufffd\ufffdq\ufffd]\u0222\ufffd%\ufffd\ufffd\ufffd8\u001b\ufffd\ufffd\b)\\", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Ga\ufffd\ufffd<\ufffdE\ufffd\ufffdk\ufffd\ufffd\ufffd4\"o\ufffd7\ufffd\ufffdN\bK\ufffdx\u526e\ufffd\rq\ufffd \ufffd\ufffd\u0002O\u0017\ufffd!\ufffd\to1\u0004\"<T\ufffd\ufffd\u0004\/\|l\ufffdu\ufffd\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c6a7972f2a460fe1276f84ba36e1040de2bcd2ba", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_probe_db net_flood Cible HTTP GET /db.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /db.php Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /db.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3722.400 QQBrowser/10.5.3739.400 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /db.php HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Ge Requête brute (extrait) GET /db.php HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3722.400 QQBrowser/10.5.3739.400 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "d3186112ff4871be51d5d4d848cdbdff5c2acfde", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "25eff87de964ee0386ae3b7dc262cc750c04e9f6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 278, "payload_entropy": 5.403557420066326, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d7ada29264bf24d38a6adb26e74e94099cf1bb2e", "event_fingerprint": "af67e49422b996347e4287dc6c4430abbccb0cba", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3db18e6622666e10d6e284295d9ee94e", "payload_hash": "b955f581f699cf9d75c3bf013cddc7f7", "path_pattern_hash": "811319170a56ea52f00bd482e981607b" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/db.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Ge", "method": "GET", "path": "\/db.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3739.400", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/db.php HTTP\/1.1", "request_sample": "GET \/db.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3739.400\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/db.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Ge", "evidence": { "method": "GET", "path": "\/db.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3739.400", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/db.php HTTP\/1.1", "request_sample": "GET \/db.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3739.400\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/db.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Ge", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d9dadd11d4917565a0bff9f6ef71eea0afceb036", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_probe_db", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 71
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/appsettings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/appsettings.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/appsettings.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Safari/537.36 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/appsettings.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit/5 Requête brute (extrait) GET /api/appsettings.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "71580ff4c2844221f4b1e1e55846a90adfae2040", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "16223ed774af363bfa3a19e07c4401628555ae7f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.371242896125598, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b6385f0d3ef331fcb574f3f8ea2b2239cb412176", "event_fingerprint": "00b692a0c33db91900cea7f2b9bfe92744582492", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2656e5938eeb9d2a1a4db84d22dac348", "payload_hash": "e9dffa5e5760b5d667534c36aea227d5", "path_pattern_hash": "9a59da8a4826d25b327ad6f6ccd7a0fe" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit\/5", "method": "GET", "path": "\/api\/appsettings.json", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/appsettings.json HTTP\/1.1", "request_sample": "GET \/api\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/api\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/api\/appsettings.json", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/appsettings.json HTTP\/1.1", "request_sample": "GET \/api\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/api\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit\/5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3db58ae0b0e4d879f617d673cd50cac1fae827f6", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��X��j-4�!�%1�C��E�� Tw!�r�K4g�8��V��=!��=�Q&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��X��j-4�!�%1�C��E�� Tw!�r�K4g�8��V��=!��=�Q&�+�/�,�0̨̩� �� /5� w �+3&$ U�+�OJ1��P�-\|bCaIWu�u:��T��iUt1 Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.838276181264314, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "1dedb06a449f46068c6a86e4dbea2842", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\ufffd\ufffdX\ufffd\ufffdj-4\ufffd!\ufffd\u0017%1\ufffdC\ufffd\ufffd\u0004\ufffd\ufffd\u0010\ufffd\u0006\ufffdE\u0003\ufffd\ufffd T\u001aw!\u0011\ufffdr\ufffd\u0016K4g\ufffd\u001f8\ufffd\ufffd\ufffdV\ufffd\u0002\ufffd\b\ufffd=!\ufffd\ufffd=\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\ufffd\ufffdX\ufffd\ufffdj-4\ufffd!\ufffd\u0017%1\ufffdC\ufffd\ufffd\u0004\ufffd\ufffd\u0010\ufffd\u0006\ufffdE\u0003\ufffd\ufffd T\u001aw!\u0011\ufffdr\ufffd\u0016K4g\ufffd\u001f8\ufffd\ufffd\ufffdV\ufffd\u0002\ufffd\b\ufffd=!\ufffd\ufffd=\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 U\ufffd+\ufffdOJ1\ufffd\ufffdP\ufffd-\|bCaIWu\ufffdu:\ufffd\u0017\ufffdT\ufffd\ufffdiUt1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\ufffd\ufffdX\ufffd\ufffdj-4\ufffd!\ufffd\u0017%1\ufffdC\ufffd\ufffd\u0004\ufffd\ufffd\u0010\ufffd\u0006\ufffdE\u0003\ufffd\ufffd T\u001aw!\u0011\ufffdr\ufffd\u0016K4g\ufffd\u001f8\ufffd\ufffd\ufffdV\ufffd\u0002\ufffd\b\ufffd=!\ufffd\ufffd=\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\ufffd\ufffdX\ufffd\ufffdj-4\ufffd!\ufffd\u0017%1\ufffdC\ufffd\ufffd\u0004\ufffd\ufffd\u0010\ufffd\u0006\ufffdE\u0003\ufffd\ufffd T\u001aw!\u0011\ufffdr\ufffd\u0016K4g\ufffd\u001f8\ufffd\ufffd\ufffdV\ufffd\u0002\ufffd\b\ufffd=!\ufffd\ufffd=\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 U\ufffd+\ufffdOJ1\ufffd\ufffdP\ufffd-\|bCaIWu\ufffdu:\ufffd\u0017\ufffdT\ufffd\ufffdiUt1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\ufffd\ufffdX\ufffd\ufffdj-4\ufffd!\ufffd\u0017%1\ufffdC\ufffd\ufffd\u0004\ufffd\ufffd\u0010\ufffd\u0006\ufffdE\u0003\ufffd\ufffd T\u001aw!\u0011\ufffdr\ufffd\u0016K4g\ufffd\u001f8\ufffd\ufffd\ufffdV\ufffd\u0002\ufffd\b\ufffd=!\ufffd\ufffd=\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "14a6df4d4c8a2930c91a7680033f97e97cd07d80", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��6^\��0� ̓긭�V?�}O\����R vӅ��W��7 "`F�MҵbqE��o�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� 6^\��0� ̓긭�V?�}O\����R vӅ��W��7 "`F�MҵbqE��o�&�+�/�,�0̨̩� �� /5� w �+3&$ ��2��n& ��f��"��2s��ۉ4X Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.846356747325071, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "79c8ccd8039127affe8a418fd7227844", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000b\ufffd6^\\\ufffd\ufffd0\ufffd \u0313\uae2d\ufffdV?\ufffd}O\\\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005R \u0018v\u04c5\ufffd\ufffd\u001cW\ufffd\ufffd7\u0001 \"\u0019\u0000`F\ufffdM\u04b5bqE\ufffd\ufffd\ufffdo\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000b\ufffd6^\\\ufffd\ufffd0\ufffd \u0313\uae2d\ufffdV?\ufffd}O\\\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005R \u0018v\u04c5\ufffd\ufffd\u001cW\ufffd\ufffd7\u0001 \"\u0019\u0000`F\ufffdM\u04b5bqE\ufffd\ufffd\ufffdo\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd2\ufffd\u0013\ufffdn&\f\ufffd\u0011\ufffd\ufffdf\ufffd\ufffd\ufffd\"\ufffd\ufffd\ufffd2s\ufffd\ufffd\u0011\ufffd\u000e\u06c94X", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000b\ufffd6^\\\ufffd\ufffd0\ufffd \u0313\uae2d\ufffdV?\ufffd}O\\\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005R \u0018v\u04c5\ufffd\ufffd\u001cW\ufffd\ufffd7\u0001 \"\u0019\u0000`F\ufffdM\u04b5bqE\ufffd\ufffd\ufffdo\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000b\ufffd6^\\\ufffd\ufffd0\ufffd \u0313\uae2d\ufffdV?\ufffd}O\\\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005R \u0018v\u04c5\ufffd\ufffd\u001cW\ufffd\ufffd7\u0001 \"\u0019\u0000`F\ufffdM\u04b5bqE\ufffd\ufffd\ufffdo\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd2\ufffd\u0013\ufffdn&\f\ufffd\u0011\ufffd\ufffdf\ufffd\ufffd\ufffd\"\ufffd\ufffd\ufffd2s\ufffd\ufffd\u0011\ufffd\u000e\u06c94X", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000b\ufffd6^\\\ufffd\ufffd0\ufffd \u0313\uae2d\ufffdV?\ufffd}O\\\ufffd\ufffd\ufffd*\ufffd\ufffd\ufffd\u0005R \u0018v\u04c5\ufffd\ufffd\u001cW\ufffd\ufffd7\u0001 \"\u0019\u0000`F\ufffdM\u04b5bqE\ufffd\ufffd\ufffdo\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "54b8a6df25231326d7eec835885927a5fbfc2337", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��8x�M��i�G��u��jP�!�H� ��cu_��^"��p0�^֚�v�A��X8&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��8x �M��i�G��u��jP�!�H� ��cu_��^"��p0�^֚�v�A��X8&�+�/�,�0̨̩� �� /5� w �+3&$ �Ӳ�R�gC�MJfU��x"ܹ{�˅��J Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.845390840635316, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "5cb6e615e7b6e5e9835a707b2e0b7f9d", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd8\u0016x\u000b\ufffdM\ufffd\ufffd\u0012\ufffd\ufffdi\ufffdG\ufffd\ufffd\u0003\ufffdu\ufffd\ufffd\ufffdjP\ufffd!\ufffdH\ufffd \ufffd\ufffd\ufffd\ufffdcu\u0012_\ufffd\u001f\ufffd^\"\ufffd\ufffdp0\ufffd^\u059a\ufffdv\ufffdA\ufffd\ufffd\ufffd\ufffdX8\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd8\u0016x\u000b\ufffdM\ufffd\ufffd\u0012\ufffd\ufffdi\ufffdG\ufffd\ufffd\u0003\ufffdu\ufffd\ufffd\ufffdjP\ufffd!\ufffdH\ufffd \ufffd\ufffd\ufffd\ufffdcu\u0012_\ufffd\u001f\ufffd^\"\ufffd\ufffdp0\ufffd^\u059a\ufffdv\ufffdA\ufffd\ufffd\ufffd\ufffdX8\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0012\ufffd\u04f2\ufffd\u0002R\ufffdgC\ufffdMJfU\ufffd\ufffdx\"\u000f\u0739\u000e{\ufffd\u02c5\ufffd\ufffd\ufffdJ", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd8\u0016x\u000b\ufffdM\ufffd\ufffd\u0012\ufffd\ufffdi\ufffdG\ufffd\ufffd\u0003\ufffdu\ufffd\ufffd\ufffdjP\ufffd!\ufffdH\ufffd \ufffd\ufffd\ufffd\ufffdcu\u0012_\ufffd\u001f\ufffd^\"\ufffd\ufffdp0\ufffd^\u059a\ufffdv\ufffdA\ufffd\ufffd\ufffd\ufffdX8\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd8\u0016x\u000b\ufffdM\ufffd\ufffd\u0012\ufffd\ufffdi\ufffdG\ufffd\ufffd\u0003\ufffdu\ufffd\ufffd\ufffdjP\ufffd!\ufffdH\ufffd \ufffd\ufffd\ufffd\ufffdcu\u0012_\ufffd\u001f\ufffd^\"\ufffd\ufffdp0\ufffd^\u059a\ufffdv\ufffdA\ufffd\ufffd\ufffd\ufffdX8\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0012\ufffd\u04f2\ufffd\u0002R\ufffdgC\ufffdMJfU\ufffd\ufffdx\"\u000f\u0739\u000e{\ufffd\u02c5\ufffd\ufffd\ufffdJ", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd8\u0016x\u000b\ufffdM\ufffd\ufffd\u0012\ufffd\ufffdi\ufffdG\ufffd\ufffd\u0003\ufffdu\ufffd\ufffd\ufffdjP\ufffd!\ufffdH*\ufffd \ufffd\ufffd\ufffd\ufffdcu\u0012_\ufffd\u001f\ufffd^\"\ufffd\ufffdp0\ufffd^\u059a\ufffdv\ufffdA\ufffd\ufffd\ufffd\ufffdX8\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fce5b2891db470ee04629760dd63a4567c8718c6", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 71
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/database.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/database.yml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/database.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/20040924 Epiphany/1.4.4 (Ubuntu) Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/database.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/20040 Requête brute (extrait) GET /api/database.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/20040924 Epiphany/1.4.4 (Ubuntu) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "616bca6c2b0aa8f8d45a9de706f86b703be609a0", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "c7925f5b0f216247bb0a000827dd8b1a02615d1d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 224, "payload_entropy": 5.391787738651113, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b6385f0d3ef331fcb574f3f8ea2b2239cb412176", "event_fingerprint": "79d92a3517b7595057c2f123ef07c552456e2fcc", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2787e25ca12e16cb50469fec88cfc9cd", "payload_hash": "c1f597d0452ddc81d9816cb4bf226fe6", "path_pattern_hash": "a85c0cffdce7f3cd5f8342a635486f8c" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040", "method": "GET", "path": "\/api\/database.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/database.yml HTTP\/1.1", "request_sample": "GET \/api\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040", "evidence": { "method": "GET", "path": "\/api\/database.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/database.yml HTTP\/1.1", "request_sample": "GET \/api\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4752274d64f14cd282e4d456d97040bb02d32154", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /credentials.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /credentials.yaml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /credentials.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /credentials.yaml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.36 ( Requête brute (extrait) GET /credentials.yaml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "58c3d77164b1f171575aca111c4de9f8b3d542b4", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "1cd12d8c17a4fd004b4a7caca660c7ba1b5dd38e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.411802624017547, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f232e17feb7cd27e909ee36127e4e95c42c85033", "event_fingerprint": "563bca1d75ba6a0135861c0e84425dee8ffaac7a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5b88a669c8d5f8ecd01200ab1a54488d", "payload_hash": "5c2abb4ab92f99c39c40f73639b9e938", "path_pattern_hash": "b8f00d48a004f38140a03a88e4b761f9" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/credentials.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (", "method": "GET", "path": "\/credentials.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/credentials.yaml HTTP\/1.1", "request_sample": "GET \/credentials.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/credentials.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/credentials.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/credentials.yaml HTTP\/1.1", "request_sample": "GET \/credentials.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/credentials.yaml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "071e65d4017a4497cc31c2a60c351707a4324f4b", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_k8s_probe net_flood Cible HTTP GET /secrets.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /secrets.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /secrets.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /secrets.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /secrets.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "5ba64d1ea5443151980dfcce6e024d04dd73cb27", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "9906f032745691753325e07cb911e68c17846b5d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.397288384420694, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d7102166650cb2d1612fd14a6d7cfb67c7c492cc", "event_fingerprint": "8457a77529f0a195ab53c9adaa14ac5fdfdfb86c", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b4c3f79bed799d76874a2e6ff83c703a", "payload_hash": "9d927ab4d49e4430856d7a2ccff89e8c", "path_pattern_hash": "1abd330c58113f23df400bb25a78bd81" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/secrets.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36 SE 2.X MetaSr 1.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.json HTTP\/1.1", "request_sample": "GET \/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36 SE 2.X MetaSr 1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/secrets.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36 SE 2.X MetaSr 1.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.json HTTP\/1.1", "request_sample": "GET \/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36 SE 2.X MetaSr 1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ac4ac69fac7ebe1f314d416a59ea57a17bdea058", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_k8s_probe", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /api_keys.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api_keys.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api_keys.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; CPH1859) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /api_keys.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 9; CPH1859) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /api_keys.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Linux; Android 9; CPH1859) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "3647dd5dfda2412a0ec0d195411f48fc573a1de9", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "3971e7314acad350173b94aed96196fdfff8d535", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.432331953438087, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "899eee33290db54b7be0e362049a6d9e9fea0c66", "event_fingerprint": "0960b39cd03eeefedea4c34ff0f9092295190088", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bada92e04749c29087a7fd9614c10087", "payload_hash": "b70807bee3ac2a91d062b02d4f12b2c5", "path_pattern_hash": "6a6e9ce9657aeba0082f546e97e5badf" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api_keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CPH1859) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/api_keys.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; CPH1859) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/api_keys.json HTTP\/1.1", "request_sample": "GET \/api_keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CPH1859) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api_keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CPH1859) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/api_keys.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; CPH1859) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/api_keys.json HTTP\/1.1", "request_sample": "GET \/api_keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CPH1859) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api_keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CPH1859) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6a9c4dd9fea75dd0560decf14c4b653c2bbb555c", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Sonde fichier configuration	Élevée	Élevé · 70
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /api/v1/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/v1/config.json Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/v1/config.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/v1/config.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit Requête brute (extrait) GET /api/v1/config.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "json", "http_ua_hash": "61af9ae1143425c2483bcef6708ba0872de7cb50", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "2b55d91c2a56470bc176e0f02ae53fe1d6446ad4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.387613717722229, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 10, "anomaly_count": 0, "campaign_key": "db2cb84dcecf79acf3a1eef3f1fb2ebffbf6521d", "event_fingerprint": "14e46e24d465a2a0d53119d7636142bacda2a591", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "661446b900f23cb7ea026a595f3b6a91", "payload_hash": "8a16cd53ddb54d26376a644505b77515", "path_pattern_hash": "2764e77913ab393ae4f90c4e26863576" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit", "method": "GET", "path": "\/api\/v1\/config.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/v1\/config.json HTTP\/1.1", "request_sample": "GET \/api\/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/api\/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit", "evidence": { "method": "GET", "path": "\/api\/v1\/config.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/v1\/config.json HTTP\/1.1", "request_sample": "GET \/api\/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/api\/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0ad21b28e06fe60a61e15638adc66554e7acc15b", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_api_route_probe", "http_k8s_probe", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 71
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/database.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/database.php Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/database.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.25 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/database.php HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /api/database.php HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.25 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "274b056f9e791be0da5d562e0f0f807646550eaa", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "3b0f704debd9557578c7b95595853680ba57e853", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.46995531266619, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 6, "anomaly_count": 0, "campaign_key": "3473deb14a54fa325258202fd0e574b47016a699", "event_fingerprint": "353026468ee599e19bfc124bbc2445e95db1780e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58f4a91a3133aa8b769252f43327c46e", "payload_hash": "18ac2d492fc8832786c078afe7e32d65", "path_pattern_hash": "0e4dd4a2248d9ed0c82f50221193673a" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/api\/database.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.85 Safari\/537.36 OPR\/32.0.1948.25", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/database.php HTTP\/1.1", "request_sample": "GET \/api\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.85 Safari\/537.36 OPR\/32.0.1948.25\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/api\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/api\/database.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.85 Safari\/537.36 OPR\/32.0.1948.25", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/database.php HTTP\/1.1", "request_sample": "GET \/api\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.85 Safari\/537.36 OPR\/32.0.1948.25\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/api\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "49d245c04828c1bbd53c75b238c53834853a0d96", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 61
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 16 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 950600:k8s-api http_probe_api Cible HTTP GET /api/application.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/application.properties Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/application.properties HTTP/1.1` User-Agent MOT-V9mm/00.62 UP.Browser/6.2.3.4.c.1.123 (GUI) MMP/2.0 Règles WAF nosqli-3 k8s-api Payload (extrait) GET /api/application.properties HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: MOT-V9mm/00.62 UP.Browser/6.2.3.4.c.1.123 (GUI) MMP Requête brute (extrait) GET /api/application.properties HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: MOT-V9mm/00.62 UP.Browser/6.2.3.4.c.1.123 (GUI) MMP/2.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "properties", "http_ua_hash": "0ab7ff70c7dc50a5e6b200b2c283ebd1d2083ad3", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "7b82037305b05e4852e4a0d12fe52171d45b0128", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 201, "payload_entropy": 5.2214244071589295, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 72, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "fbea6d0d1419cf56f758052937b40a9345eb4a08", "event_fingerprint": "bec24891c34de67e229935d107ce8bb292ccef04", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b303142daef36cda30984ec291091425", "payload_hash": "cdaa9375f5d463f3abe1bfb63d91685d", "path_pattern_hash": "f658d71e5b555b6dd4035cc9acb8e173" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: MOT-V9mm\/00.62 UP.Browser\/6.2.3.4.c.1.123 (GUI) MMP", "method": "GET", "path": "\/api\/application.properties", "user_agent": "MOT-V9mm\/00.62 UP.Browser\/6.2.3.4.c.1.123 (GUI) MMP\/2.0", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/application.properties HTTP\/1.1", "request_sample": "GET \/api\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: MOT-V9mm\/00.62 UP.Browser\/6.2.3.4.c.1.123 (GUI) MMP\/2.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: MOT-V9mm\/00.62 UP.Browser\/6.2.3.4.c.1.123 (GUI) MMP", "evidence": { "method": "GET", "path": "\/api\/application.properties", "user_agent": "MOT-V9mm\/00.62 UP.Browser\/6.2.3.4.c.1.123 (GUI) MMP\/2.0", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/application.properties HTTP\/1.1", "request_sample": "GET \/api\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: MOT-V9mm\/00.62 UP.Browser\/6.2.3.4.c.1.123 (GUI) MMP\/2.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: MOT-V9mm\/00.62 UP.Browser\/6.2.3.4.c.1.123 (GUI) MMP", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "661df986aa879edc6e613828f5ddce453c20421c", "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Sonde fichier configuration	Élevée	Élevé · 70
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/config.json Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/config.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/config.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (K Requête brute (extrait) GET /api/config.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "cf1f8ef07506a3d877fb7e2e9733337cf29a9bef", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "23a7fdebb2c6a62d7d99ec7e14a583ee335f985b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 247, "payload_entropy": 5.386700942527301, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.3, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dffbcaaaf3598bcf853059c4882e76ebe6567846", "event_fingerprint": "533500824540ed3aa45da27bfcb01d8ddccc76c3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f15bfddf1358638c7d3326272c4ad19c", "payload_hash": "1c4bb113da6860fbcdaf8f055cb93e0c", "path_pattern_hash": "cccb8d748e9f900a4a8cbc953ef4ca7f" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/api\/config.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/32.0.1667.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/config.json HTTP\/1.1", "request_sample": "GET \/api\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/32.0.1667.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/api\/config.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/32.0.1667.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/config.json HTTP\/1.1", "request_sample": "GET \/api\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/32.0.1667.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/537.36 (K", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "62ea0f5f3e9ea9c5f3a20d47afa39fbe86b76d47", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 47
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 7 Recommandation Surveiller Tags 950326:rce-0 net_flood Cible HTTP GET /api-keys.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api-keys.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api-keys.json HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0 ) Règles WAF rce-0 Payload (extrait) GET /api-keys.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0 ) Accept-Char Requête brute (extrait) GET /api-keys.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0 ) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "7691ebc02be0c1bcb39b1eb7d6d21e416d6d4ce7", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "c66ed2cb2ee7945e15913f0f7ca32c846f13537b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 184, "payload_entropy": 5.272334033673525, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 36, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ac2ca508064babeeb4b74add1a5217fdc50ffabf", "event_fingerprint": "dd9cac87693e4b74249f78d3b5f944ccebb79d62", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8bb1926c067b589520f38c26dca8d31c", "payload_hash": "2f34df436f310e95d834b12f5cfe7fe9", "path_pattern_hash": "015c5a8e5b64863b9df5b863319a5c2b" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api-keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows NT 5.0 )\r\nAccept-Char", "method": "GET", "path": "\/api-keys.json", "user_agent": "Mozilla\/4.0 (compatible; MSIE 5.5; Windows NT 5.0 )", "waf_tags": [ "950326:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "GET \/api-keys.json HTTP\/1.1", "request_sample": "GET \/api-keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows NT 5.0 )\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api-keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows NT 5.0 )\r\nAccept-Char", "evidence": { "method": "GET", "path": "\/api-keys.json", "user_agent": "Mozilla\/4.0 (compatible; MSIE 5.5; Windows NT 5.0 )", "waf_tags": [ "950326:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "GET \/api-keys.json HTTP\/1.1", "request_sample": "GET \/api-keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows NT 5.0 )\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api-keys.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows NT 5.0 )\r\nAccept-Char", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1871e067124a8a217349da32a020f73ed7ad1587", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /private.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /private.json Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.3 Requête brute (extrait) GET /private.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "748f28df9b1455e0c7e29160208688f331e51fab", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "cba94a1b37f4bc1c6667e76235119ed3064bd656", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.407425039095422, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "899eee33290db54b7be0e362049a6d9e9fea0c66", "event_fingerprint": "7a8f6c6f8212dcd7297fa81b7040a693773b9afe", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d4c6126b4f5b2c65c056518cea4e2669", "payload_hash": "ff72bbcfd915464c0aa1285d7d90053e", "path_pattern_hash": "45bc7fdb4d234c918d3617f96e56d2a9" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.3", "method": "GET", "path": "\/private.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private.json HTTP\/1.1", "request_sample": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/private.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private.json HTTP\/1.1", "request_sample": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fd3f3608e84204a3156f0a46734c97785a6c1914", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	tls	Flood / DDoS	Élevée	Faible · 29
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) ��e ��r��sԃ�e%�ܘ��s�� %�l\|���Ք��C�j� �n/>�b&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��e ��r��sԃ�e%�ܘ��s�� %�l\|���Ք��C�j � �n/>�b&�+�/�,�0̨̩� �� /5� w �+3&$ �}x1B��H \�ke�� 'sM�Gu Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.701531734554832, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 29, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bdc542f3e0a29606ebe5335bb87cec1e3fb59af9", "event_fingerprint": "b1106e545c0532c717b76f44145d28bf98569345", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "c75d39cae54ff26f241e0e6e11299b12", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 3000, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003e\t\u0013\ufffd\u0000\ufffd\ufffdr\ufffd\ufffd\ufffd\u0016\ufffds\u0503\ufffd\u0010e%\ufffd\u0718\ufffd\ufffds\ufffd\ufffd\ufffd\ufffd\u0018 %\ufffdl\|\u0013\u0018\u0001\ufffd\u0002\ufffd\ufffd\ufffd\u0554\ufffd\ufffd\ufffdC\ufffdj\u000b\ufffd\t\ufffd\u0004n\/\u0016>\ufffdb\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003e\t\u0013\ufffd\u0000\ufffd\ufffdr\ufffd\ufffd\ufffd\u0016\ufffds\u0503\ufffd\u0010e%\ufffd\u0718\ufffd\ufffds\ufffd\ufffd\ufffd\ufffd\u0018 %\ufffdl\|\u0013\u0018\u0001\ufffd\u0002\ufffd\ufffd\ufffd\u0554\ufffd\ufffd\ufffdC\ufffdj\u000b\ufffd\t\ufffd\u0004n\/\u0016>\ufffdb\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \b\ufffd}x\u00071B\ufffd\ufffd\ufffd\ufffdH \\\ufffdke\u0010\ufffd\ufffd\t'sM\ufffd\u0006Gu\u001d\u0014", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003e\t\u0013\ufffd\u0000\ufffd\ufffdr\ufffd\ufffd\ufffd\u0016\ufffds\u0503\ufffd\u0010e%\ufffd\u0718\ufffd\ufffds\ufffd\ufffd\ufffd\ufffd\u0018 %\ufffdl\|\u0013\u0018\u0001\ufffd\u0002\ufffd\ufffd\ufffd\u0554\ufffd\ufffd\ufffdC\ufffdj\u000b\ufffd\t\ufffd\u0004n\/\u0016>\ufffdb\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003e\t\u0013\ufffd\u0000\ufffd\ufffdr\ufffd\ufffd\ufffd\u0016\ufffds\u0503\ufffd\u0010e%\ufffd\u0718\ufffd\ufffds\ufffd\ufffd\ufffd\ufffd\u0018 %\ufffdl\|\u0013\u0018\u0001\ufffd\u0002\ufffd\ufffd\ufffd\u0554\ufffd\ufffd\ufffdC\ufffdj\u000b\ufffd\t\ufffd\u0004n\/\u0016>\ufffdb\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \b\ufffd}x\u00071B\ufffd\ufffd\ufffd\ufffdH \\\ufffdke\u0010\ufffd\ufffd\t'sM\ufffd\u0006Gu\u001d\u0014", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003e\t\u0013\ufffd\u0000\ufffd\ufffdr\ufffd\ufffd\ufffd\u0016\ufffds\u0503\ufffd\u0010e%\ufffd\u0718\ufffd\ufffds\ufffd\ufffd\ufffd\ufffd\u0018 %\ufffdl\|\u0013\u0018\u0001\ufffd\u0002\ufffd\ufffd*\ufffd\u0554\ufffd\ufffd\ufffdC\ufffdj\u000b\ufffd\t\ufffd\u0004n\/\u0016>\ufffdb\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c813d8758ae42818bf31055345437ddfe4a227f6", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Flood / DDoS	Élevée	Élevé · 71
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /api/v1/application.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/v1/application.yml Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/v1/application.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.25 Règles WAF lfi-14 rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/v1/application.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /api/v1/application.yml HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.25 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "274b056f9e791be0da5d562e0f0f807646550eaa", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "38fb6895d8441312cff892b8d5023a58c197b356", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.478954442430465, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 9, "anomaly_count": 0, "campaign_key": "a273858d0e70bcf82211207e36fd2f09df518234", "event_fingerprint": "dc8aed16c5200c0f6a68e7bf9233ab3e64b93cff", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58f4a91a3133aa8b769252f43327c46e", "payload_hash": "921255fed80526e001de2b21875b1ecd", "path_pattern_hash": "b610cbd3b782ecceaa4591dd4ae78b6f" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/v1\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/api\/v1\/application.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.85 Safari\/537.36 OPR\/32.0.1948.25", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/v1\/application.yml HTTP\/1.1", "request_sample": "GET \/api\/v1\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.85 Safari\/537.36 OPR\/32.0.1948.25\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/api\/v1\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/api\/v1\/application.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.85 Safari\/537.36 OPR\/32.0.1948.25", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/v1\/application.yml HTTP\/1.1", "request_sample": "GET \/api\/v1\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.85 Safari\/537.36 OPR\/32.0.1948.25\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/api\/v1\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHT", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aea10f610ee6c359e89ba6abf3a18ca960929c8b", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_api_route_probe", "http_k8s_probe", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 20:29:07 UTC	TCP	3000	http	Sonde fichier configuration	Élevée	Élevé · 70
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /api/v2/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible /api/v2/config.json Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/v2/config.json HTTP/1.1` User-Agent Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident/5.0) Règles WAF lfi-14 rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/v2/config.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident/ Requête brute (extrait) GET /api/v2/config.json HTTP/1.1 Host: 62.3.50.33:3000 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident/5.0) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "json", "http_ua_hash": "55328443fdf6da5299f536f6a3e8463066f833e3", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "6b80f89580c29c439d19b48dd4ca5c498157500b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 201, "payload_entropy": 5.271074438882085, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 3000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 9, "anomaly_count": 0, "campaign_key": "09ce1e2aa8c281ad1e22f9bef1a38a9172439dca", "event_fingerprint": "fe4c7008881c33dfa8ebc5bf7e71211742e89459", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8926c3bfdb2517e6c0105cbf629349e9", "payload_hash": "273bde247dd76fe782c6188e6e58ac6a", "path_pattern_hash": "a9426bbf6d4bd633fabcb2de52d2c4da" }, "target_context": { "dst_port": 3000, "service": "http" }, "payload_preview": "GET \/api\/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident\/", "method": "GET", "path": "\/api\/v2\/config.json", "user_agent": "Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident\/5.0)", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/v2\/config.json HTTP\/1.1", "request_sample": "GET \/api\/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident\/5.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident\/", "evidence": { "method": "GET", "path": "\/api\/v2\/config.json", "user_agent": "Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident\/5.0)", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/v2\/config.json HTTP\/1.1", "request_sample": "GET \/api\/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident\/5.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident\/", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f3e8b3288030f7f1cd0e6325fbd7632dc1fd5ffd", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_api_route_probe", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }

8.230.0.135

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence