{"ip":"8.230.14.61","exported_at":"2026-06-18T19:27:08+00:00","period_days":30,"metrics":{"events7d":0,"distinct_ports":0,"distinct_classifications":0,"max_severity":null,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":69,"attack_stage":"exploit_attempt","attack_chain_stage":null,"threat_family":["path_traversal","config_leak_scan"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":100,"classification":74,"behavior":0,"geo":40,"protocol":43,"novelty":25},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":null,"top_mitre_technique":null,"top_mitre_count":null,"executive_one_liner_fr":"risque 69\/100","campaign_hint_fr":null,"confidence_breakdown":[],"persona_hostname":null,"correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":100,"confidence_hint_fr":null,"sensor_role_label_fr":null,"tags_summary_labels_fr":[],"tags_summary":[],"attack_vector":null,"protocol_details":[],"protocol_summary_fr":null,"evidence_snippet":"GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KH","target_port_label":"82","emulator_service":null,"confidence_reason":null,"classification_reason":"Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","classification_reason_label_fr":"Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","confidence_factors_fr":null,"payload_preview":"GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KH"},"events":[{"id":8287019,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57280,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":21,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/.env.demo","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022demo\u0022, \u0022http_ua_hash\u0022: \u0022fdaa4c1e1de66370701fdf4860e77b1c763f15b4\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022281117a46ffb6dbe77926884a25652c0da93651c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 248, \u0022payload_entropy\u0022: 5.42344071814178, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 92.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 65, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223fbe1d785ce08b33cf30d663b41036d313e76255\u0022, \u0022event_fingerprint\u0022: \u002294bfcd3e932f03e2980cc7bc477704996e3ec6df\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 270, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0191\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0191\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0191\u0022], \u0022matched_pattern_names\u0022: [\u0022Probe \/.env\u0022], \u0022pattern_ids\u0022: [\u0022pat-0191\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c3bbdc96b5aa6b0b36251a9ea5cdb741\u0022, \u0022payload_hash\u0022: \u0022561548c450c3c38fa6790be700500a3c\u0022, \u0022path_pattern_hash\u0022: \u0022ff56ce56a447b9537c511ab389b44d21\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/.env.demo HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KH\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env.demo\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/.env.demo HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env.demo HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env.demo HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KH\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env.demo\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/.env.demo HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env.demo HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env.demo HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KH\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d7ac475ad7cf982656d7371df6c8589c62b7a990\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":248},{"id":8287020,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57328,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":29,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022]","http_method":"GET","http_target":"\/.env.local.bak","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022bak\u0022, \u0022http_ua_hash\u0022: \u00223d223265ba48595efd11ff58193bd7ad0c43df7c\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002214d941abaa5531ff4222826e2a078089eafb4502\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 237, \u0022payload_entropy\u0022: 5.422841924018222, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022516b6c1cbd598076cc75a20e93ffe96cf15a405a\u0022, \u0022event_fingerprint\u0022: \u00226d9b169262d17ce00e601cccf07f112443018efa\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 325, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0191\u0022, \u0022pat-0193\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0191\u0022, \u0022pat-0193\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0191\u0022, \u0022pat-0193\u0022], \u0022matched_pattern_names\u0022: [\u0022Probe \/.env\u0022, \u0022Probe \/.env.local\u0022], \u0022pattern_ids\u0022: [\u0022pat-0191\u0022, \u0022pat-0193\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002267276cddfcf3839c4ed1b28eb9a0bc9e\u0022, \u0022payload_hash\u0022: \u00220a6dcd2097c9953d84bf4a255e0fcbcf\u0022, \u0022path_pattern_hash\u0022: \u00226ce60df5c3a9e710b10793a4d5a3668f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/.env.local.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env.local.bak\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022leak-8\u0022], \u0022request_line\u0022: \u0022GET \/.env.local.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env.local.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env.local.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env.local.bak\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022leak-8\u0022], \u0022request_line\u0022: \u0022GET \/.env.local.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env.local.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env.local.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a3e605e435f1186f6d1459a382bb4c5d35367441\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_probe_env_local\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_probe_env_local\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":237},{"id":8287021,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57380,"dst_port":82,"service":"http","classification":"exploit_attempt","waf_score":21,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950521:leak-8\u0022]","http_method":"GET","http_target":"\/env.bak","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022bak\u0022, \u0022http_ua_hash\u0022: \u0022504bf1882c89291b3d00121e743980a500faaa94\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022a267c1a6bb1f8e78acd54116556c5ca3263f5088\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 251, \u0022payload_entropy\u0022: 5.37245242211684, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 92.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d6c50d77431922d847c2bedf3efaf00b7abe6f64\u0022, \u0022event_fingerprint\u0022: \u002266e8d4423e4c042d019a7edb731a2f898e0456bf\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e1bef62fbfaeba10d3d5412ad8263b9a\u0022, \u0022payload_hash\u0022: \u0022f66d2fea5002df7979ebf4595f36d081\u0022, \u0022path_pattern_hash\u0022: \u00228c7af96cfa7ab0d2b434d66566500145\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/env.bak\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A5355d Safari\/8536.25\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950521:leak-8\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-8\u0022], \u0022request_line\u0022: \u0022GET \/env.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A5355d Safari\/8536.25\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML,\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/env.bak\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A5355d Safari\/8536.25\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950521:leak-8\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-8\u0022], \u0022request_line\u0022: \u0022GET \/env.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A5355d Safari\/8536.25\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML,\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d9fabe057dce09f8ee0a5e1677243203f027e775\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950521:leak-8\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_probe_env\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A5355d Safari\/8536.25","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950521:leak-8\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_probe_env\u0022]","anomalies":"[]","severity":10,"bytes_in":251},{"id":8287022,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57396,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":14,"waf_tags":"[\u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/.env~","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022env~\u0022, \u0022http_ua_hash\u0022: \u002266a037cee45db2503b4c91e43bee6fec7f98adfe\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00221226c0debb1b75494a73e965e6d8cdcb9b1ead38\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 215, \u0022payload_entropy\u0022: 5.2967592886748065, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 64.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 64.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228a695fe13f1e619d496fd77d97cce210a9ab0392\u0022, \u0022event_fingerprint\u0022: \u0022e3dacc09fb3f8b4b60988e5ef0c3778723e51ccb\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 270, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0191\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0191\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0191\u0022], \u0022matched_pattern_names\u0022: [\u0022Probe \/.env\u0022], \u0022pattern_ids\u0022: [\u0022pat-0191\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b55161923bfd52f23c0f0bf0408c2094\u0022, \u0022payload_hash\u0022: \u0022cbd9141d0dbe370d39efe5b15e1a6dd1\u0022, \u0022path_pattern_hash\u0022: \u0022cf5f67b633918a8bfbe3f2b4d6e8e9e1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/.env~ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107 \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env~\u0022, \u0022user_agent\u0022: \u0022BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107 UP.Link\/6.2.3.15.0\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/.env~ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env~ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107 UP.Link\/6.2.3.15.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env~ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env~\u0022, \u0022user_agent\u0022: \u0022BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107 UP.Link\/6.2.3.15.0\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/.env~ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env~ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107 UP.Link\/6.2.3.15.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env~ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220834beecd3b1647f77cf27807585f708b552f8d5\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107 UP.Link\/6.2.3.15.0","http_referer":null,"tags":"[\u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":7,"bytes_in":215},{"id":8287023,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57400,"dst_port":82,"service":"http","classification":"exploit_attempt","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/env.txt","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022txt\u0022, \u0022http_ua_hash\u0022: \u00228343728e09cc5534aa355662af176824290e16ba\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002243063baf0fda73950dd575fa216e503f70ad04be\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.431177491505892, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b4891d212379c43873fbd2b0397cc102257c1b79\u0022, \u0022event_fingerprint\u0022: \u002298e31e8955b7594ee89209880e1b191bed6c1ab4\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d5b435b8abdaa4272f37db8d3f41393b\u0022, \u0022payload_hash\u0022: \u00223506770abfdc91d268f0fef1d249ca5c\u0022, \u0022path_pattern_hash\u0022: \u00224ff48f74005d677acf48e527b71c7273\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/env.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/env.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/env.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/env.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/env.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/env.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/env.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/env.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/env.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221e7fe60464ecb4b119756ea13aa7886de4af2c37\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":7,"bytes_in":239},{"id":8287024,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57410,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":21,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/.env.txt","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022txt\u0022, \u0022http_ua_hash\u0022: \u0022a5d1fb4038518fe0ebb1893e348c7b185e0551c5\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022db658cd9f30d14f4f7b89e2ec27457776d31b406\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 210, \u0022payload_entropy\u0022: 5.274041879123376, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 92.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 65, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223fbe1d785ce08b33cf30d663b41036d313e76255\u0022, \u0022event_fingerprint\u0022: \u0022f97cbc931f789df1d16bdcf0ca5e26901c8c0a2c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 270, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0191\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0191\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0191\u0022], \u0022matched_pattern_names\u0022: [\u0022Probe \/.env\u0022], \u0022pattern_ids\u0022: [\u0022pat-0191\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00224265e407fd374471485c2088155c8a8d\u0022, \u0022payload_hash\u0022: \u0022fd751e2717b6298c266a95c02c7150c2\u0022, \u0022path_pattern_hash\u0022: \u0022bcf9f4a0a512e549570ca7fb20cc5789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/.env.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015 Fennec\/1.0a1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/.env.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015 Fennec\/1.0a1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015 Fennec\/1.0a1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/.env.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015 Fennec\/1.0a1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e1087cf391ad3c2546d3a40642f0c3aa873a106a\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015 Fennec\/1.0a1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":210},{"id":8287025,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57422,"dst_port":82,"service":"http","classification":"exploit_attempt","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/env.backup","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022backup\u0022, \u0022http_ua_hash\u0022: \u00222e2c19c1d95990a188ae2dc3e112475ddb923307\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022de881192e40b910ddadfeaa7d74737f8ac4fcb8e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 249, \u0022payload_entropy\u0022: 5.428028576815643, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b4891d212379c43873fbd2b0397cc102257c1b79\u0022, \u0022event_fingerprint\u0022: \u00220f1a9900b45421dc0ddf8cd1c425d1e2eee26d9b\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220fc9f1f9e51b48f63de3565001461eb9\u0022, \u0022payload_hash\u0022: \u0022b70def2ee49b7ffad35868ceaa8c8502\u0022, \u0022path_pattern_hash\u0022: \u00220913256c1ce2cf4361c479b44d591aa5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, l\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/env.backup\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/env.backup HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, l\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/env.backup\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/env.backup HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, l\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e49652473684e51cf9a326891ae200f549c4cfc9\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":7,"bytes_in":249},{"id":8287026,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57424,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":21,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/.env.production.local","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022local\u0022, \u0022http_ua_hash\u0022: \u0022a9bf52155318772ae4e63c034a88f19baba59046\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022d3f1365c6401e671ba4f40a870e3ce46645aab05\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.3815819103736615, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 92.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 65, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223fbe1d785ce08b33cf30d663b41036d313e76255\u0022, \u0022event_fingerprint\u0022: \u0022bd62066e62d6d580a07c79c44f037854400a3ed9\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 325, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0191\u0022, \u0022pat-0194\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0191\u0022, \u0022pat-0194\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0191\u0022, \u0022pat-0194\u0022], \u0022matched_pattern_names\u0022: [\u0022Probe \/.env\u0022, \u0022Probe \/.env.production\u0022], \u0022pattern_ids\u0022: [\u0022pat-0191\u0022, \u0022pat-0194\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223c2484f027975550dcd1a322f9a63052\u0022, \u0022payload_hash\u0022: \u0022f59363e3250e0855e8e25bd39f3a42d4\u0022, \u0022path_pattern_hash\u0022: \u0022a0a342b9319fca95b9114c90facec319\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/.env.production.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env.production.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/.env.production.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env.production.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env.production.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env.production.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/.env.production.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env.production.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env.production.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225ab9659a02a3b3e67c55d08f2c6fd02422766302\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":252},{"id":8287027,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57448,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":31,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022d1fe78cc4b2390aa57ab35fd24fafa28626a16ef\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022f5b7d21cf92d5caca6cd906725e72730e31bc18c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 272, \u0022payload_entropy\u0022: 5.459818580255799, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d19a9e44e9038ccd4bb026e8ec779734184cad63\u0022, \u0022event_fingerprint\u0022: \u00222380b7be9982bd26621a617aaa8c01c9a3855202\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002289118e8e7adfb61feb0c5082572d1e14\u0022, \u0022payload_hash\u0022: \u0022a18c039549fcda0924b5882e8d601c05\u0022, \u0022path_pattern_hash\u0022: \u00223c658e3b68f996f41891a76e1d05a9a5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) Apple\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConne\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) Apple\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConne\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) Apple\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229150dd71fa3925f9e43dda1474d2f3eac8f60225\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":272},{"id":8287028,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57434,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":8,"waf_tags":"[\u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/.env.dev.local","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022local\u0022, \u0022http_ua_hash\u0022: \u00224795231a22fb3723ee7614729d2f174075c02b4d\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002212559bd98a78482d9ce7a35ea95030c5164cc18e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.068901485416902, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 40.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 40.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228c27660d3db584b38633e86e1bd72a6daa966e42\u0022, \u0022event_fingerprint\u0022: \u0022e59b84fbfff7ceb0583d0d8fdc129fc894ab233c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 240, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0191\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0191\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0191\u0022], \u0022matched_pattern_names\u0022: [\u0022Probe \/.env\u0022], \u0022pattern_ids\u0022: [\u0022pat-0191\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222d2b2f462df541a5583d5751faedf94b\u0022, \u0022payload_hash\u0022: \u0022fec4813474f156c528a8062cfb078b6d\u0022, \u0022path_pattern_hash\u0022: \u0022168410cb363e5bff281032a79dc5b72d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/.env.dev.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: HTMLParser\/1.6\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nCon\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env.dev.local\u0022, \u0022user_agent\u0022: \u0022HTMLParser\/1.6\u0022, \u0022waf_tags\u0022: [\u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/.env.dev.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env.dev.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: HTMLParser\/1.6\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env.dev.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: HTMLParser\/1.6\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nCon\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env.dev.local\u0022, \u0022user_agent\u0022: \u0022HTMLParser\/1.6\u0022, \u0022waf_tags\u0022: [\u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/.env.dev.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env.dev.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: HTMLParser\/1.6\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env.dev.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: HTMLParser\/1.6\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nCon\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002243d45ea66dcee73219c1f0dc07185ccd12502c14\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"HTMLParser\/1.6","http_referer":null,"tags":"[\u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":7,"bytes_in":146},{"id":8287029,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57454,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":31,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/.env.local","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022local\u0022, \u0022http_ua_hash\u0022: \u002284c75482fdef0a4798619e9b7d389fd65ba79acd\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022edb025f9fa0e5ca4830590504e5c719dffe9f0d2\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 258, \u0022payload_entropy\u0022: 5.437583469852692, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d19a9e44e9038ccd4bb026e8ec779734184cad63\u0022, \u0022event_fingerprint\u0022: \u0022c794d6c3276f36d126c74ae9d7c16cd13b86b5fd\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223dd2d5718cccb3969b1019b3f0860581\u0022, \u0022payload_hash\u0022: \u00221198292726124126a44b8a28e5bed39d\u0022, \u0022path_pattern_hash\u0022: \u0022593041543fc7e9468b6d0efddae98740\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/api\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022164375d805c0d2bb6a87d78758d7ff310a8758e4\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":258},{"id":8287030,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57456,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":26,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/v2\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00223f4e5c87c193872106cfbb5d90285db4df3fe4ed\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022cc4b30112d6bf6eb67e9d97dbf1e56d5dce1ab0e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 143, \u0022payload_entropy\u0022: 5.057527149946495, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002298cfd24c07b25a7a0a3228cdf752cee42bd99d52\u0022, \u0022event_fingerprint\u0022: \u002240cca6a66c8096d633a1c8c177e256cdac89d915\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 185, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0213\u0022], \u0022matched_pattern_names\u0022: [\u0022Probe \/api\/v2\/\u0022], \u0022pattern_ids\u0022: [\u0022pat-0213\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002206587e20115dae1320821738f5e73854\u0022, \u0022payload_hash\u0022: \u00224c84415dadb719e621e159b5facb299c\u0022, \u0022path_pattern_hash\u0022: \u002245a8106651a0a44c3f11053706f8aead\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/api\/v2\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: wii libnup\/1.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnec\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/v2\/.env\u0022, \u0022user_agent\u0022: \u0022wii libnup\/1.0\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/v2\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v2\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: wii libnup\/1.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v2\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: wii libnup\/1.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/v2\/.env\u0022, \u0022user_agent\u0022: \u0022wii libnup\/1.0\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/v2\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v2\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: wii libnup\/1.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v2\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: wii libnup\/1.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnec\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222a62b9991758522c3d318b4b91d2b13b1bc8f154\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"wii libnup\/1.0","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":143},{"id":8287031,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57470,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":39,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/v1\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u002259423626a08bd02f2b9e57d98fcf5e653cd00fbe\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022510d89ba7f87ce49d7697f92088f4049153aa93e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.368109450972935, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227d0d4a5d1fb45a5b4d34a78036be1eef22e64599\u0022, \u0022event_fingerprint\u0022: \u00221eb9a273f238ef29896767a58bd45ed7668ad4fb\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 185, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0212\u0022], \u0022matched_pattern_names\u0022: [\u0022Probe \/api\/v1\/\u0022], \u0022pattern_ids\u0022: [\u0022pat-0212\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f6be50818ab971b3803e8ee7540102bd\u0022, \u0022payload_hash\u0022: \u0022fdf90c7d67d06de815ff48f96114bdd7\u0022, \u0022path_pattern_hash\u0022: \u00225df89d300eb37d420581ac8576ea9498\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/api\/v1\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/v1\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4 (KHTML, like Gecko) Version\/5.0.2 Safari\/533.18.5\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/v1\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v1\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4 (KHTML, like Gecko) Version\/5.0.2 Safari\/533.18.5\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/v1\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4 (KHTML, like Gecko) Version\/5.0.2 Safari\/533.18.5\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/v1\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v1\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4 (KHTML, like Gecko) Version\/5.0.2 Safari\/533.18.5\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226e58887247b517f69dccbe6c5dbcbe65691fca95\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_backup_file_scan\u0022, \u0022http_k8s_probe\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4 (KHTML, like Gecko) Version\/5.0.2 Safari\/533.18.5","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_backup_file_scan\u0022, \u0022http_k8s_probe\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":247},{"id":8287033,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57486,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":31,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/.env.staging","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022staging\u0022, \u0022http_ua_hash\u0022: \u0022fb35aa6d075efbf6c20bdfab4a318bb13334b704\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022558189df00dd1f382a665a69aadcd9f4c6685109\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 248, \u0022payload_entropy\u0022: 5.403459408058749, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d19a9e44e9038ccd4bb026e8ec779734184cad63\u0022, \u0022event_fingerprint\u0022: \u00229a17021bf81ca25bf74f30bfc155989aeb735e7a\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b80f036707f051ea52220d84e31704a2\u0022, \u0022payload_hash\u0022: \u002220a6904de5101e14e10eab8b2df8ba9c\u0022, \u0022path_pattern_hash\u0022: \u002207bb9306fa50af07f9ffa6d9d05639e6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/api\/.env.staging HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (K\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.staging\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.staging HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.staging HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.staging HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (K\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.staging\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.staging HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.staging HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.staging HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (K\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cb029410f0237df01bc79c847d95d195296f5a68\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":248},{"id":8287034,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57472,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":38,"waf_tags":"[\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/.env.old","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022old\u0022, \u0022http_ua_hash\u0022: \u0022d339cf5577510900d6ae7a2034a71a408566a4fc\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00221eaaed3d5813b8a0c46124d29705f048ce880ab8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 180, \u0022payload_entropy\u0022: 5.096620768084978, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225e2d29fff875875c5e92a1acae65f3fa9344d8e7\u0022, \u0022event_fingerprint\u0022: \u002231719037dda69b00c6d31cdb15caafc9444e0013\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002238b274f5c581c7410651422886fcbc13\u0022, \u0022payload_hash\u0022: \u00223549a8f4536af65c8bd92bad6e9538ea\u0022, \u0022path_pattern_hash\u0022: \u0022f24df3f6a48f5ead7ac9d4853493d4fa\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/api\/.env.old HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)\\r\\nAccept-Charset:\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.old\u0022, \u0022user_agent\u0022: \u0022AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)\u0022, \u0022waf_tags\u0022: [\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022leak-8\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.old HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.old HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.old HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)\\r\\nAccept-Charset:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.old\u0022, \u0022user_agent\u0022: \u0022AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)\u0022, \u0022waf_tags\u0022: [\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022leak-8\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.old HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.old HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.old HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)\\r\\nAccept-Charset:\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bed6082566514c6a2f66285dc0c3d928e7c2a7cc\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)","http_referer":null,"tags":"[\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":180},{"id":8287035,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57492,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":31,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/.env.production","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022production\u0022, \u0022http_ua_hash\u0022: \u0022252b93efa155a5637c584f729eef797ba6dba612\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022968e975abb5bec4d137f79208dfd090d8456c104\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 251, \u0022payload_entropy\u0022: 5.398004151703649, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e70ef21d8fc9810910cbcf7ee5fbe371b27b9c84\u0022, \u0022event_fingerprint\u0022: \u0022ea3fb9a8c9584c0b9c1a5348bb2dfd598df94cb0\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221e6b2a724d1ae943a7a06e4531665258\u0022, \u0022payload_hash\u0022: \u0022c3b41fa3eb1c4a51a46add6e400d6b84\u0022, \u0022path_pattern_hash\u0022: \u00223695b3884d13830f81357e8fc9151d2d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/api\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.production\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.production\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002242f730a83f53719d4b5f19921c24b1b57f81f4f9\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":251},{"id":8287036,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57506,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":31,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/.env.backup","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022backup\u0022, \u0022http_ua_hash\u0022: \u00223998abd7ca1b3c85ad4e2ac4d02d2c58acfcb5b5\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00229dab8234c39ccb9ea2d77d85642de0c301ab4efb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 284, \u0022payload_entropy\u0022: 5.427545749601186, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e70ef21d8fc9810910cbcf7ee5fbe371b27b9c84\u0022, \u0022event_fingerprint\u0022: \u00222c21d6706f158301e7bcbe7bee331ccb54d9a60d\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00227eeca09b89f3fc84e44293e4965f2d3b\u0022, \u0022payload_hash\u0022: \u00229edfd63557a7fb57d3a1aa4dd0a930b4\u0022, \u0022path_pattern_hash\u0022: \u002249a3b01836cfe2c6affa28c94f1fce0a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/api\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.backup\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-122-3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.backup HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-122-3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding:\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.backup\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-122-3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.backup HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-122-3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding:\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002245ecb9463598a2f766a12a49ebedc1829f518501\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-122-3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":284},{"id":8287037,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57510,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":39,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/.env.bak","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022bak\u0022, \u0022http_ua_hash\u0022: \u0022637ce5322bb77a61de6800d960f9df95080fd8e7\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022db58915b70ec4f4897682eec5a7fd50dc2102271\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.408075904608764, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228aedc9e2d1614829b3c36040d48d16edefb26c33\u0022, \u0022event_fingerprint\u0022: \u00229ff1a6df9ed38391cdbf1ae300568c14d39b9490\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d14870c6fbb2acb77d15af60a1d43119\u0022, \u0022payload_hash\u0022: \u00221253450c4b14f255f5b2e55746c94d81\u0022, \u0022path_pattern_hash\u0022: \u0022704472054da186f49a4245e261c91fda\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/api\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.bak\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022leak-8\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.bak\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022leak-8\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223d1dfe577d66206e4492649ef50fef773bac7775\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":247},{"id":8287038,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57522,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":31,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/.env.dev","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022dev\u0022, \u0022http_ua_hash\u0022: \u0022592bb3de86699c826b92a6f269c5cf0b60adac6d\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022df0da649347f6e8b30ebfd6075798e279a79356e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 256, \u0022payload_entropy\u0022: 5.445559785807001, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e70ef21d8fc9810910cbcf7ee5fbe371b27b9c84\u0022, \u0022event_fingerprint\u0022: \u0022896b1de9368666eeb7fefbcee2914a0563404cd6\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002296388e8375c9c019f95583d6b452c123\u0022, \u0022payload_hash\u0022: \u00224b674a9a1bdff387ed586657b828c024\u0022, \u0022path_pattern_hash\u0022: \u0022a65c42973e65ed0c7793c8c71a0195da\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/api\/.env.dev HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (K\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.dev\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.dev HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.dev HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.dev HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (K\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.dev\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.dev HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.dev HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.dev HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (K\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022efa2c499e4110016c07a0e2e234bb49347d1afa3\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":256},{"id":8287039,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57528,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":31,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/.env.prod","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022prod\u0022, \u0022http_ua_hash\u0022: \u0022c14bf96833bdd8aa770bb9da7ac2822dec887995\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022a0523bde74b7800a5f62604ba67d5973949853e7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 194, \u0022payload_entropy\u0022: 5.271226457128303, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e70ef21d8fc9810910cbcf7ee5fbe371b27b9c84\u0022, \u0022event_fingerprint\u0022: \u0022c841952c8e0405ce2c9ea94abc7f5037ec86b1db\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c6a2bcb6a6c371918bafda16a1164505\u0022, \u0022payload_hash\u0022: \u0022843f71cfce97f34c62e4e6fb77fcf685\u0022, \u0022path_pattern_hash\u0022: \u00220d46dff1e6403d12ac8e9a297c932ed9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/api\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\\r\\nA\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.prod\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.prod HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\\r\\nA\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.env.prod\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.env.prod HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\\r\\nA\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f7f5f84f63e77e22e9f406d113373ddd8002ec8d\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":194},{"id":8287040,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57538,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/staging\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022afd025b06b40b784279794656acbfbcaecfe5b00\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022111415a347404bdd37fcf414f912f654289a0484\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 292, \u0022payload_entropy\u0022: 5.472740180685283, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a9dfc975daced8fcd89aa5a55c82bc33fa670d10\u0022, \u0022event_fingerprint\u0022: \u0022e74db1f028ed7d6436b5a737342ec26272b6ba99\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002248b77ab855ab2862ab797d6da303d70b\u0022, \u0022payload_hash\u0022: \u0022a7e22abb5e2ec8b7202a3ab95570b45f\u0022, \u0022path_pattern_hash\u0022: \u002265b91a5bf45b2313cae0e22cf01533dc\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/staging\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profi\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/staging\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/staging\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/staging\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344\\r\\nAccept-Charset: utf-8\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022GET \/staging\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profi\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/staging\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/staging\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/staging\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344\\r\\nAccept-Charset: utf-8\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022GET \/staging\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profi\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002269c41d3ba7fcaaba836f15e11ad6e2a001a74596\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_staging\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_staging\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":292},{"id":8287041,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57540,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/production\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022bc015ca793896994b398da81b73ea6411505c24f\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00220e5da18e94a87fd88e6a09d81109dbf41d7bea9b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.394367087683791, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u0022bd1a505a947e364660d91856aefae549c1424dac\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e6eb4f21da426bcec45322842c03b78a\u0022, \u0022payload_hash\u0022: \u002296577427a74b2be27c6b033fb41cb7cb\u0022, \u0022path_pattern_hash\u0022: \u0022ea627d9d22b8cf889f18c35c4c7d909f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/production\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/production\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/production\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/production\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/production\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/production\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/production\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/production\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/production\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222063644f26c088ab34e3f41ce607e3d5d3a40762\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":243},{"id":8287042,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57544,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":28,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/v1\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00223f29025821b3a94eaa79a10f577739f1a7d267f6\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00220f6d25494f66c35cd0bd7eb1054d443c9b0c6f63\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 228, \u0022payload_entropy\u0022: 5.29290203485433, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a0953b5f746f889175fb1393d5469e7be9c3245e\u0022, \u0022event_fingerprint\u0022: \u0022f08f799948bff78c930f172643663801876ca80c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228189347f53da54fe3964a69ee13bbe99\u0022, \u0022payload_hash\u0022: \u00222575e618d6c75c2d4ada9e69f28d98c9\u0022, \u0022path_pattern_hash\u0022: \u0022a29d1f8ccacc51ac2e54fe6653b8d5f0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/v1\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configura\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v1\/.env\u0022, \u0022user_agent\u0022: \u0022SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/v1\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v1\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v1\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configura\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v1\/.env\u0022, \u0022user_agent\u0022: \u0022SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/v1\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v1\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v1\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configura\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f47e34028539c46a082fa7f46b71d4747735878c\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":228},{"id":8287043,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57564,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/v3\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u002273d0ffe91f171255677c4c78e15678f5000775f0\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00228c6c0cf35b21182c44d1fbe7c55901c2e77c5cbc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 259, \u0022payload_entropy\u0022: 5.450861753320522, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022828bea7b6427ebba83904ef3b3d9a450ce8a5106\u0022, \u0022event_fingerprint\u0022: \u0022713644c8fcc5a3fd685c3a0a9b6656e2252e1eef\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f7c1824f612605beecab6a5ef0f931ea\u0022, \u0022payload_hash\u0022: \u0022892d576fd28b748c13015d68c00acffd\u0022, \u0022path_pattern_hash\u0022: \u0022b9266b5e3818db8e42f016e0af085277\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/v3\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.3\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v3\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/v3\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v3\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/v3\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.3\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v3\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/v3\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v3\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/v3\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.3\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227cb9a0d38569f22842ffc2af99c8acfa8562bf5b\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":259},{"id":8287044,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57552,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":46,"waf_tags":"[\u0022950086:sqli-21\u0022, \u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/v3\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00229ead864eae776af34a3bfed185eea8d153ca079a\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022bd51d82ebe68616089e33c9b7e8bd3dca93e4339\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 407, \u0022payload_entropy\u0022: 5.545110313961639, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002243c11ecae862184c221b86e3fc11a2d68354549f\u0022, \u0022event_fingerprint\u0022: \u0022192d177c54d3859348a30f722af2e6cca164ce95\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 185, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0214\u0022], \u0022matched_pattern_names\u0022: [\u0022Probe \/api\/v3\/\u0022], \u0022pattern_ids\u0022: [\u0022pat-0214\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002297f1748f3d699340948669a768fbd692\u0022, \u0022payload_hash\u0022: \u0022525d55e1c9c35256edb4bb1113baae6d\u0022, \u0022path_pattern_hash\u0022: \u002204909e92bace7d0131f14c363849c629\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/api\/v3\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019; \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/v3\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/67.0.3396.87 XWEB\/882 MMWEBSDK\/190505 Mobile Safari\/537.36 MMWEBID\/358 MicroMessenger\/7.0.5.1440(0x27000537) Process\/tools Ne\u2026\u0022, \u0022waf_tags\u0022: [\u0022950086:sqli-21\u0022, \u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-21\u0022, \u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/v3\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v3\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/67.0.3396.87 XWEB\/882 MMWEBSDK\/190505 Mobile Safari\/537.36 MMWEBID\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v3\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019;\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/v3\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/67.0.3396.87 XWEB\/882 MMWEBSDK\/190505 Mobile Safari\/537.36 MMWEBID\/358 MicroMessenger\/7.0.5.1440(0x27000537) Process\/tools Ne\u2026\u0022, \u0022waf_tags\u0022: [\u0022950086:sqli-21\u0022, \u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-21\u0022, \u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/v3\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v3\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/67.0.3396.87 XWEB\/882 MMWEBSDK\/190505 Mobile Safari\/537.36 MMWEBID\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v3\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019;\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224a73d17bdeeee16d11130703077bb74c2115ade1\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950086:sqli-21\u0022, \u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/67.0.3396.87 XWEB\/882 MMWEBSDK\/190505 Mobile Safari\/537.36 MMWEBID\/358 MicroMessenger\/7.0.5.1440(0x27000537) Process\/tools NetType\/4G Language\/zh_CN","http_referer":null,"tags":"[\u0022950086:sqli-21\u0022, \u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":407},{"id":8287045,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57554,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/prod\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022a9c9131f21bbd498611e10f71331c7dd5e9f7d05\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00227702579be3ca2d14cb80324c6a749f13cc1e6ce1\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.407833667579817, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u0022d2be85286b316f43ae995ef172a1bcd3bd7a04e0\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022171b677823d70df4d8448ff04ae83405\u0022, \u0022payload_hash\u0022: \u00227e9965890251da1341ccd1f0d1fe34a6\u0022, \u0022path_pattern_hash\u0022: \u0022e986d9a8713d4af4d188b7a61ad378ee\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/prod\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTM\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/prod\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/prod\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/prod\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/prod\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTM\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/prod\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/prod\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/prod\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/prod\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTM\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022146f00d7bdd2bc75e22724522107050f178d5e72\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":243},{"id":8287046,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57574,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/v2\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022fb421555db09fced69648f6726af353413309d8f\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002279d69dbab75f7603ce6f8ff1846eda4ce95a3fd2\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 246, \u0022payload_entropy\u0022: 5.411540620729484, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022828bea7b6427ebba83904ef3b3d9a450ce8a5106\u0022, \u0022event_fingerprint\u0022: \u002297b58607411474d85b545255dc29049f847f0e8c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226915d10c5bac758cd8969be33236d029\u0022, \u0022payload_hash\u0022: \u002232320e33b8cb97c69eaae01b4fa17f79\u0022, \u0022path_pattern_hash\u0022: \u0022ea63ee477c90ac313ab228a937b8deee\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/v2\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTM\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v2\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/v2\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v2\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v2\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTM\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v2\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/v2\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v2\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v2\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTM\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f7c0f2e98dd92602dfda7acb21248cccd9bac1bf\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":246},{"id":8287047,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57594,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/qa\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00225e94862642bf6226f7d90a29b61f4cea938ae052\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022347f368cf7019820ddbef16e4ba72b557e9ffd91\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 240, \u0022payload_entropy\u0022: 5.358679159333535, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022828bea7b6427ebba83904ef3b3d9a450ce8a5106\u0022, \u0022event_fingerprint\u0022: \u0022b8fa93cb48a3aca1e764e39d4debc2cc41ce51e1\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221fa75d0f80798ea8c4dd96917af34a74\u0022, \u0022payload_hash\u0022: \u00227d1b5017675796b089726b185122553a\u0022, \u0022path_pattern_hash\u0022: \u0022304ba9ff810db7ae18a3843216ad1c4b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/qa\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KH\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/qa\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Reeder\/3.2 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/qa\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/qa\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Reeder\/3.2 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/qa\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KH\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/qa\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Reeder\/3.2 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/qa\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/qa\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Reeder\/3.2 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/qa\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KH\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d1842eb3aa4d58a83716df159c725181caf80c76\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Reeder\/3.2 Safari\/605.1.15","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":240},{"id":8287048,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57588,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/dev\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022cb4b1b750e753434b1d9a07b45ceeb9485f74750\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002295dbd9173b5580a94a3583c1e8d31bee303be7a7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 215, \u0022payload_entropy\u0022: 5.401230877090016, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002239a8af74187507424d747d3d502f92a50b72ae11\u0022, \u0022event_fingerprint\u0022: \u0022c4a2037ca765fb6f7783c13a72d7bcbcc6aa56d2\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226ada5f944d3e9ea5ff2aae41c3b4d633\u0022, \u0022payload_hash\u0022: \u00223ba054a5b4cf7ff3bab347ecf3e2e35c\u0022, \u0022path_pattern_hash\u0022: \u00225776ea19ec2f88a0568ff0bc7de6e909\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/dev\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Geck\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dev\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 es50\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/dev\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dev\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 es50\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/dev\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Geck\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dev\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 es50\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/dev\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dev\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 es50\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/dev\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Geck\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226a9a83e49702ff24b06caa7b8852cdc54caf5adb\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_dev\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 es50","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_dev\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":215},{"id":8287049,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57608,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":14,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/stage\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022d26eab59ef7aebc1c5985aae4552f1ebd7aa0558\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022737ca670329de18dc663a9b1a810e4d99c607cf0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 165, \u0022payload_entropy\u0022: 5.214825227997919, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 64.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 64.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4c4f1b7614489cb01f9ab905b7d15c6b597ab24\u0022, \u0022event_fingerprint\u0022: \u0022758150bebdba6d1cef13c284b210d78ef0a30194\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002291f6acd3814db78860f3895180f75f5e\u0022, \u0022payload_hash\u0022: \u0022de35f5ddb7b112fd224794db00e6816c\u0022, \u0022path_pattern_hash\u0022: \u002225b2f069e3141e0796938ca9e4e845aa\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/stage\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\\r\\nAccept-Charset: utf-8\\r\\nAccept-\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/stage\/.env\u0022, \u0022user_agent\u0022: \u0022Uzbl (Webkit 1.3) (Linux i686 [i686])\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/stage\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/stage\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/stage\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\\r\\nAccept-Charset: utf-8\\r\\nAccept-\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/stage\/.env\u0022, \u0022user_agent\u0022: \u0022Uzbl (Webkit 1.3) (Linux i686 [i686])\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/stage\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/stage\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/stage\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\\r\\nAccept-Charset: utf-8\\r\\nAccept-\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229f10c3bd1e348e321c665dbfdea301f48f101610\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Uzbl (Webkit 1.3) (Linux i686 [i686])","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":7,"bytes_in":165},{"id":8287050,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57600,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/development\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022ece89018f8e51dcdb25431bef4142f642a506f93\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022368a782b06d2e3f08e91fcad6aa099df587b3caa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 199, \u0022payload_entropy\u0022: 5.272536440139591, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226170ac77407eeaa48430bfd6ffc8c3473d64411f\u0022, \u0022event_fingerprint\u0022: \u0022e21b36d981af3583be6ccd1f8aaa86f997991e20\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223ef775987e41dcc313d41d88786ef3b6\u0022, \u0022payload_hash\u0022: \u0022273de0639adf8040c889254803a0391d\u0022, \u0022path_pattern_hash\u0022: \u00225ac5643a22156fcbe040fcd2350884e7\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/development\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/development\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/development\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/development\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/development\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/development\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/development\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/development\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/development\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c5b519db87640f5bd364625e927be0a071c68fc9\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":199},{"id":8287051,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57622,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/test\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00222d8bcb907bf81985d29ed9ad09c744bea8258b71\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00228197cec9b1d84f19de1c5b10c28917030b9542e4\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 211, \u0022payload_entropy\u0022: 5.224527473769411, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e8f556317f0fb6c1005a94ef5dfce3f5a74dd568\u0022, \u0022event_fingerprint\u0022: \u0022d62bb94a1bbb29bb04d177e0b1d4622b45cc79e7\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a7cbfa848ac307add6c1512eb30c65d5\u0022, \u0022payload_hash\u0022: \u002270feb086fe46240b27071e1b87838219\u0022, \u0022path_pattern_hash\u0022: \u0022a0f6f48aed881c23044b32112fcbe5cd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/test\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 S\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/test\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/test\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/test\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/test\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 S\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/test\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/test\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/test\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/test\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 S\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022165dad8cc4bf57814f7d99188949196f49f5389b\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_test\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_test\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":211},{"id":8287052,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57626,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/uat\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u002217122a49c4cf7070f9a1d61fe3e60a0482e9abba\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00221eb2933a38e1b26e0106588b5505e9710f93d6fb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 253, \u0022payload_entropy\u0022: 5.403626035873637, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u0022a2c22a6420185760b9219155e7c8580c62e936e2\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002240447121961eef0f767d2ee7795cf127\u0022, \u0022payload_hash\u0022: \u0022f58f0b1c2d5d26b91728f570b67fecd3\u0022, \u0022path_pattern_hash\u0022: \u00221a8fcb54c8457aab1171c5a3ff6b1128\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/uat\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTM\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/uat\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/uat\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/uat\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/uat\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTM\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/uat\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/uat\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/uat\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/uat\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTM\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c2eace081db30aee7941b6e8a91bb111d768d310\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":253},{"id":8287053,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57638,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/app\/.env.local","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022local\u0022, \u0022http_ua_hash\u0022: \u00223a11fde199781275f7211e7cad66b1631ceb098b\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00226b35726d908ca1441d48958552cc4f0c6d6cdbcd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 320, \u0022payload_entropy\u0022: 5.459299845268668, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u00228660db8120d5a6a5a07f5bdfe7de84249a3b8088\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e208e535d8b7c8f8ceceb97d288ce28c\u0022, \u0022payload_hash\u0022: \u002227144202863e9198472bf7501fd323f3\u0022, \u0022path_pattern_hash\u0022: \u0022d0aea5366423bcf3f26207cfc3fa52c7\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/app\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47H) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.7-g\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47H) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.7-g\\r\\nAcc\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47H) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.7-g\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47H) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.7-g\\r\\nAcc\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223973454bc498464b305c0df0d40e1a0a7fd4a0c0\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47H) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.7-g","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":320},{"id":8287054,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57650,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/app\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u002278b3da388f07125922275ece3097b6f15cda702b\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022628b9cb47d9f8d6e8fddc1b7d3cebf1133d17f4f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 253, \u0022payload_entropy\u0022: 5.383115723599998, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u002204f0e23f049a0409291883528acef3a530eaff24\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222fe5bca2bb102783ce93b1df880741ca\u0022, \u0022payload_hash\u0022: \u002281e9a0552888ed8ef6bdb60324c49d39\u0022, \u0022path_pattern_hash\u0022: \u00226215588c522bb159cbcefac1cb9fb1de\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/app\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTM\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTM\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTM\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e3fb411bfb00ab353199ed39ffd15bae88bf7552\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":253},{"id":8287055,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57660,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/app\/.env.prod","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022prod\u0022, \u0022http_ua_hash\u0022: \u0022b0743359cca000a94882207e34f02c84ce034c0e\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022ee922ae5907bc48e4659f274d485f8c67812795b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 264, \u0022payload_entropy\u0022: 5.4550084543447985, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u00221ee44c11c949fbdbc19f38227643b59e7fc7c470\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002290e607b816a82867de956a7806fccdec\u0022, \u0022payload_hash\u0022: \u002219034b3a71481baa7d099c9ed9103564\u0022, \u0022path_pattern_hash\u0022: \u002222e14c6f65ce5c9bdbd96012d1745d82\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/app\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.prod\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.87 Chrome\/76.0.3809.87 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.prod HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.87 Chrome\/76.0.3809.87 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: c\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.prod\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.87 Chrome\/76.0.3809.87 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.prod HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.87 Chrome\/76.0.3809.87 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: c\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223be2e4dc719b8b9fd2576fc50eb31fc1c6fdcb49\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.87 Chrome\/76.0.3809.87 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":264},{"id":8287056,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57668,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":21,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/app\/.env.production","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022production\u0022, \u0022http_ua_hash\u0022: \u0022c4a0fe09bc991f38f2762ac98ebb299ccaac5c38\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00229f1a3b476954729097b55b44dc605e9187baaeeb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 194, \u0022payload_entropy\u0022: 5.189860597888304, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 92.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e172cb3a8db13dd0d8b5067113621dd672784d2e\u0022, \u0022event_fingerprint\u0022: \u00222f67c16acaf5e9d7dd9166746c4634621d2c2e75\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00229d8a676a5e70446588dc3ff902297c42\u0022, \u0022payload_hash\u0022: \u0022db5f7c60920286b5640622d0c69ecbe9\u0022, \u0022path_pattern_hash\u0022: \u0022129b91fce99c27e6763c24ece35d5295\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/app\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)\\r\\nA\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.production\u0022, \u0022user_agent\u0022: \u0022iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)\\r\\nA\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.production\u0022, \u0022user_agent\u0022: \u0022iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)\\r\\nA\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224b9d43816b6e79d47e8cfd7ac72e8e6f69f9c09b\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":194},{"id":8287057,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57678,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/app\/.env.backup","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022backup\u0022, \u0022http_ua_hash\u0022: \u00226bdc83be1502cceec28399be1549bf9ea96387d9\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022b42013d9fc6faf7024bf195a915bf9a177806a2f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 285, \u0022payload_entropy\u0022: 5.419225898486543, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u00225cd931629495177326bb137e646848367522cdfa\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022607b163a5ea2eb38609e341d7820bca4\u0022, \u0022payload_hash\u0022: \u00229edb08f47255483b0f2f112938977883\u0022, \u0022path_pattern_hash\u0022: \u0022114733505d40fc8a9280b409ddd76598\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/app\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.backup\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3763.400\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.backup HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3763.400\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.backup\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3763.400\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.backup HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3763.400\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e2fa5b8278928ace6bd71ad6185ac404bac735ee\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3763.400","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":285},{"id":8287058,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57694,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022]","http_method":"GET","http_target":"\/app\/.env.bak","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022bak\u0022, \u0022http_ua_hash\u0022: \u0022031ff0258154d1eac873b26f3492f9a96a7bd2d9\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022675fe9576f3ec7add08a15dd0c540b55e5bbfdec\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.400084199665182, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002211770b663ddcbc64ccd759f182e5625d28c841f4\u0022, \u0022event_fingerprint\u0022: \u0022a5e9fdb1f4884b53a7af9ce154b8fc334e547354\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c2f37b314141013853374c7f76ffa74e\u0022, \u0022payload_hash\u0022: \u00220270addb9bac305d25e06f0784e4862b\u0022, \u0022path_pattern_hash\u0022: \u0022a68a9dfeaee6097716a18c2b9f43c5f9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/app\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.bak\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022leak-8\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.bak\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022leak-8\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227d57ceb2aefae83ca1ddeee5b78c3cb8b5fce8e8\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":252},{"id":8287059,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57706,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/app\/.env.dev","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022dev\u0022, \u0022http_ua_hash\u0022: \u00226c68b31e4afe613651be3d49fd3f6f12f40168c0\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022df5aa2d688155147d78025f13efee7d00a0eafd8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 251, \u0022payload_entropy\u0022: 5.4376727615516876, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u002297f0e7d08611200c4625dc2056186f111aa7a097\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002277c7bee56c3a61cc8dc4c726a4bc15e4\u0022, \u0022payload_hash\u0022: \u00226303d1ac76d545a0de88f9f4ff0322c4\u0022, \u0022path_pattern_hash\u0022: \u002280cfd304d2c6517de5f460ebde85ca3d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/app\/.env.dev HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.dev\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.dev HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.dev HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.dev HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.dev\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.dev HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.dev HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.dev HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e91221db5d4b8c7e088aee7c2b3332a0f5794bb1\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":251},{"id":8287060,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57696,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022]","http_method":"GET","http_target":"\/app\/.env.old","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022old\u0022, \u0022http_ua_hash\u0022: \u0022b1db1b6711c27a4fa5cf6a9f8ea82819e09de87d\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022ad318b5cc7cc0c1bf7e3b724fbebccf0a8e6ad42\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 300, \u0022payload_entropy\u0022: 5.502251161762792, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002211770b663ddcbc64ccd759f182e5625d28c841f4\u0022, \u0022event_fingerprint\u0022: \u00224799f3a30df09f3b1e77fbe780b0a68b0d4db6c6\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022cf2d56203cddd77aaa519afd5a80048e\u0022, \u0022payload_hash\u0022: \u002227bfa2ab5d2fbef5cb512a30063cfd7b\u0022, \u0022path_pattern_hash\u0022: \u00228ac2cfa932003fc4c8032f73eb2729b9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/app\/.env.old HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.0\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.old\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/8.2 Chrome\/63.0.3239.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022leak-8\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.old HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.old HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/8.2 Chrome\/63.0.3239.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.old HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.old\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/8.2 Chrome\/63.0.3239.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022leak-8\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.old HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.old HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/8.2 Chrome\/63.0.3239.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.old HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.0\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022842676812fb7d2bd6e43ab86538f941aa2a44a1c\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/8.2 Chrome\/63.0.3239.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":300},{"id":8287061,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57710,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/app\/.env.staging","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022staging\u0022, \u0022http_ua_hash\u0022: \u0022b1e7dd6d29e880c014bdd0f2b62522a104801cab\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022e84f59fbbec8a04fdfc3078fbdf0ae4fd69640c6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 244, \u0022payload_entropy\u0022: 5.399313744415246, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u0022782ce0e62d9b5c5dfa958ca59a58bcfdd1f7f15c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002294095ff7e391a8e3a58b49f3a1340809\u0022, \u0022payload_hash\u0022: \u0022711b8b4d3e28d83046222bb6462232a2\u0022, \u0022path_pattern_hash\u0022: \u00225a281530de78ccf813317373171371c8\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/app\/.env.staging HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.staging\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.staging HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.staging HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.staging HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.env.staging\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/.env.staging HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.env.staging HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.env.staging HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022de14a7e926670ea83600a9d4e4adf20afaecb3ee\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":244},{"id":8287062,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57716,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/app\/api\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022cdc17bd51ab1f8511346e49d1eddfeb06b6057f4\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022a26af0cb127afb7f53aace7ab18a175b4d8a51bd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 245, \u0022payload_entropy\u0022: 5.406563934616501, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u0022acc055ddee38301466885eb6e536478387cef8a0\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226e1fbfb722026fc2fea44003247fc8bc\u0022, \u0022payload_hash\u0022: \u00227590aa7a46012afa59a0a1aa7052444b\u0022, \u0022path_pattern_hash\u0022: \u00229328998b0872bf59d928235746a301f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/app\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/api\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/api\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/api\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/api\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002248ab09895e1f5ed8d784c905d3831b5b41dcc2b5\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":245},{"id":8287063,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57720,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/app\/backend\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u002289e6abe6a3f1d5a391ac7c0eb8cf70acf5ba31dd\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002297ef8b86f35b56a86d5dbe6549b6162a1d5ef49e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 248, \u0022payload_entropy\u0022: 5.435159882098846, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u0022415b01fc0e5c15c87288eb5468af6764cdd2d99f\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002244b94a6902ea38a9e8505e05db84b069\u0022, \u0022payload_hash\u0022: \u0022911e915acbe9413752854ceb2057a8a2\u0022, \u0022path_pattern_hash\u0022: \u0022288b39c98eb1f440a224c00537d9552f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/app\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KH\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/backend\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/backend\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KH\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/backend\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/app\/backend\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KH\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224ff15d1e9b50657076893e1cfb8c95a36fe3f345\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":248},{"id":8287064,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57736,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/backend\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00224184044bad7ba51283d3e6840c5dbec309a6ef27\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002243427b722c17a9a0bc6fc425a8ca9501d2c985f0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 251, \u0022payload_entropy\u0022: 5.376534522381449, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u0022104d24fc0af25533f5462e38af4eba93c25e6a11\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222eaa9eb4cc81509736c0f74aaadee18f\u0022, \u0022payload_hash\u0022: \u00228a858aca6110d54c7d5eb73ef434ebd5\u0022, \u0022path_pattern_hash\u0022: \u00221ffd9afa4ff51d558fbb13c458726c9c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dd3c40162a45d4206bce09df6e3b4e5293edf42a\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":251},{"id":8287065,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57738,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/backend\/.env.local","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022local\u0022, \u0022http_ua_hash\u0022: \u0022b3970182b67098d11a430fd4d67f51464465054f\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00227a997ecf8c7c3ade11101024aba12e58dee560af\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 257, \u0022payload_entropy\u0022: 5.411920248341092, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u0022f46e09a486bfe192a590c9be4766535d03f1e59b\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225d16faaeaca0e0a05462f6520cd0ed8d\u0022, \u0022payload_hash\u0022: \u002240923dde28151ab58cec155d02c3f9cc\u0022, \u0022path_pattern_hash\u0022: \u00226e2a711f7323df4e4b7b37b3c8fb7ec7\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/backend\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/5\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.env.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.env.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/5\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.env.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.env.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/5\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ea322a2f0920e5daa924665639df8c0dd773616e\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":257},{"id":8287066,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57744,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/backend\/.env.prod","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022prod\u0022, \u0022http_ua_hash\u0022: \u00224b34faf3bb1b579874fe2a9de9ae1f9c2939f5e1\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022ece1b00dd116de2d5cd1e616b647fb67b7d3b035\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 240, \u0022payload_entropy\u0022: 5.43796155931392, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u002249b330a986f3034fe55a30e7dcdbc02faf87e0ab\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022fdb80025e99489fe497e7387349cd0a4\u0022, \u0022payload_hash\u0022: \u002211e3a9bff97de47c695997d59fadd2fe\u0022, \u0022path_pattern_hash\u0022: \u002206b37c283e0032a53442bbe10821cfeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/backend\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.env.prod\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.env.prod HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.env.prod\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.env.prod HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.env.prod HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002228f3299ab7fb54e96fe7179d33f8577adccde8d7\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":240},{"id":8287067,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57748,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/backend\/.env.production","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022production\u0022, \u0022http_ua_hash\u0022: \u0022e0e4d66b08dfd8224529e383fcad844f8a7b0fb4\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022f5bb9f02b8945472030d827baea0ca721346631c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 267, \u0022payload_entropy\u0022: 5.3178820139505465, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u002272ebdd509e8434ac60b45e83bcc0ce433e5121ed\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228b37155da47f709a193143ea98ca253a\u0022, \u0022payload_hash\u0022: \u0022f40cd5437a36660a750f15d5a95b1532\u0022, \u0022path_pattern_hash\u0022: \u002236d1a8d01ff9d9e501d856bd9686d325\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/backend\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleW\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.env.production\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit\/525.10  (KHTML, like Gecko) Version\/3.0.4 Mobile Safari\/523.12.2\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit\/525.10  (KHTML, like Gecko) Version\/3.0.4 Mobile Safari\/523.12.2\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleW\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.env.production\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit\/525.10  (KHTML, like Gecko) Version\/3.0.4 Mobile Safari\/523.12.2\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit\/525.10  (KHTML, like Gecko) Version\/3.0.4 Mobile Safari\/523.12.2\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleW\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221d8abb986d7ce03dc2e665efc9059c200aac3818\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit\/525.10  (KHTML, like Gecko) Version\/3.0.4 Mobile Safari\/523.12.2","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":267},{"id":8287068,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57764,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/backend\/.env.backup","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022backup\u0022, \u0022http_ua_hash\u0022: \u0022eaffd19466b40201afc74c1895732f48a659310f\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022010b38f2c3ba3880210fba1c683062ead6b6ee06\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 266, \u0022payload_entropy\u0022: 5.449540545414159, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002289fac2ab28969fbfe88f0e07d157d71a65b00c20\u0022, \u0022event_fingerprint\u0022: \u00223fd33b7861be81abb04778fda95f4de08e63df4b\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f8a8bea4d7391eb9891620a4be35b125\u0022, \u0022payload_hash\u0022: \u002289290c7f9f7f7df75ec88ae540c7daa9\u0022, \u0022path_pattern_hash\u0022: \u0022d21da08f9b6364ea0d2550ff45214b03\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/backend\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) App\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.env.backup\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.env.backup HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection:\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) App\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.env.backup\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.env.backup HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection:\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) App\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a843703d14306191e1a01b7f66b7048de0524c32\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":266},{"id":8287069,"ip":"8.230.14.61","ts":"2026-06-04 23:22:47.000000","proto":"tcp","src_port":57778,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022]","http_method":"GET","http_target":"\/backend\/.env.bak","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022bak\u0022, \u0022http_ua_hash\u0022: \u0022cde36e9129cdba07270e4d382bf3b71e62b365fe\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022634ed927b1f303dd63cc0a7dc5f7e8b5a6847ee7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 217, \u0022payload_entropy\u0022: 5.310064966170095, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022KR\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002211770b663ddcbc64ccd759f182e5625d28c841f4\u0022, \u0022event_fingerprint\u0022: \u0022be145f8c05df65ac923497f64c63d467e59e9a2e\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022KR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ea721dc2ca94328d48b3bb4afb43563f\u0022, \u0022payload_hash\u0022: \u0022a3c6b6ccf63bb458c63abcbf415f7f37\u0022, \u0022path_pattern_hash\u0022: \u00226679bce94c041ed02cf99c5001176812\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/backend\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.env.bak\u0022, \u0022user_agent\u0022: \u0022HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en) UP.Link\/6.3.1.17.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022leak-8\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.env.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en) UP.Link\/6.3.1.17.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.env.bak\u0022, \u0022user_agent\u0022: \u0022HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en) UP.Link\/6.3.1.17.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022leak-8\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.env.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en) UP.Link\/6.3.1.17.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.env.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221de3ff18cf453af6ee87e7ef54939816eec2a545\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en) UP.Link\/6.3.1.17.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022950521:leak-8\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":217}],"total_events":302}