Détails IP 8.230.14.61

Synthèse exécutive

Profil de menace

Score de risque 69/100 Élevé

Première observation 04/06/2026 23:22 UTC

Dernière observation 04/06/2026 23:22 UTC

Événements (période) 302

MITRE ATT&CK principal —

risque 69/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%

Comparaison ASN / FAI

ASN 396982 · 8.230.0.0/19 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 302 événements sur la période pour cette IP.

198.235.24.123 Sonde port 18/06/2026 16:19 UTC
162.216.149.111 Scanner web 18/06/2026 16:12 UTC
147.185.132.252 tor exit probe 18/06/2026 16:12 UTC
34.14.21.193 Sonde SMB 18/06/2026 16:11 UTC
147.185.132.62 coap probe 18/06/2026 16:10 UTC
147.185.132.167 Scanner web 18/06/2026 16:08 UTC
147.185.132.54 afp probe 18/06/2026 16:05 UTC
162.216.149.166 Sonde PostgreSQL 18/06/2026 15:59 UTC

Événements (filtres)

302

Première observation

04/06/2026 23:22 UTC

Dernière observation

04/06/2026 23:22 UTC

Dernière activité (filtres)

04/06/2026 23:22 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

—

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 151 TLS TCP 151

HTTP

151

TLS

151

Géolocalisation

Origine réseau déclarée

Corée du Sud unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 82 config_file_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Aperçu payload

GET /portal/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit/537.36 (KH

Port / service

Recommandation

Investiguer

Confiance

100%

Famille de menace

path_traversal config_leak_scan

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

302 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

302 événement(s) — page 1/7

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.demo TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.demo Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.demo HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.demo HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KH Requête brute (extrait) GET /.env.demo HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "demo", "http_ua_hash": "fdaa4c1e1de66370701fdf4860e77b1c763f15b4", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "281117a46ffb6dbe77926884a25652c0da93651c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.42344071814178, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "94bfcd3e932f03e2980cc7bc477704996e3ec6df", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c3bbdc96b5aa6b0b36251a9ea5cdb741", "payload_hash": "561548c450c3c38fa6790be700500a3c", "path_pattern_hash": "ff56ce56a447b9537c511ab389b44d21" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/.env.demo", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.demo HTTP\/1.1", "request_sample": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/.env.demo", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.demo HTTP\/1.1", "request_sample": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KH", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d7ac475ad7cf982656d7371df6c8589c62b7a990", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.local.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.local.bak Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.local Ligne de requête `GET /.env.local.bak HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.local.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like G Requête brute (extrait) GET /.env.local.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "3d223265ba48595efd11ff58193bd7ad0c43df7c", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "14d941abaa5531ff4222826e2a078089eafb4502", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.422841924018222, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "516b6c1cbd598076cc75a20e93ffe96cf15a405a", "event_fingerprint": "6d9b169262d17ce00e601cccf07f112443018efa", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0193", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0193", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0193" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.local" ], "pattern_ids": [ "pat-0191", "pat-0193" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "67276cddfcf3839c4ed1b28eb9a0bc9e", "payload_hash": "0a6dcd2097c9953d84bf4a255e0fcbcf", "path_pattern_hash": "6ce60df5c3a9e710b10793a4d5a3668f" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.local.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "method": "GET", "path": "\/.env.local.bak", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.local.bak HTTP\/1.1", "request_sample": "GET \/.env.local.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.local.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "evidence": { "method": "GET", "path": "\/.env.local.bak", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.local.bak HTTP\/1.1", "request_sample": "GET \/.env.local.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.local.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a3e605e435f1186f6d1459a382bb4c5d35367441", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_probe_env_local", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Tentative d'exploit	Élevée	Moyen · 60
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950521:leak-8 http_backup_file_scan Cible HTTP GET /env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /env.bak Pourquoi cette classification : Tentative d'exploit (tag rce-0) · Sonde fichier sensible / config · confiance 62% Confiance classification 62% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /env.bak HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25 Règles WAF rce-0 nosqli-3 leak-8 Payload (extrait) GET /env.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, Requête brute (extrait) GET /env.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "504bf1882c89291b3d00121e743980a500faaa94", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "a267c1a6bb1f8e78acd54116556c5ca3263f5088", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.37245242211684, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 92, "classification": 72, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 60, "tag_count": 6, "anomaly_count": 0, "campaign_key": "d6c50d77431922d847c2bedf3efaf00b7abe6f64", "event_fingerprint": "66e8d4423e4c042d019a7edb731a2f898e0456bf", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e1bef62fbfaeba10d3d5412ad8263b9a", "payload_hash": "f66d2fea5002df7979ebf4595f36d081", "path_pattern_hash": "8c7af96cfa7ab0d2b434d66566500145" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, ", "method": "GET", "path": "\/env.bak", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A5355d Safari\/8536.25", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/env.bak HTTP\/1.1", "request_sample": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A5355d Safari\/8536.25\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML,", "evidence": { "method": "GET", "path": "\/env.bak", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A5355d Safari\/8536.25", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/env.bak HTTP\/1.1", "request_sample": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A5355d Safari\/8536.25\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML,", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d9fabe057dce09f8ee0a5e1677243203f027e775", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_probe_env" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Moyen · 55
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 14 Recommandation Investiguer Tags 950470:nosqli-3 950514:leak-1 http_backup_file_scan http_sensitive_path Cible HTTP GET /.env~ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env~ Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env~ HTTP/1.1` User-Agent BlackBerry8300/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/107 UP.Link/6.2.3.15.0 Règles WAF nosqli-3 leak-1 Payload (extrait) GET /.env~ HTTP/1.1 Host: 62.3.50.33:82 User-Agent: BlackBerry8300/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/107 Requête brute (extrait) GET /.env~ HTTP/1.1 Host: 62.3.50.33:82 User-Agent: BlackBerry8300/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/107 UP.Link/6.2.3.15.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "env~", "http_ua_hash": "66a037cee45db2503b4c91e43bee6fec7f98adfe", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "1226c0debb1b75494a73e965e6d8cdcb9b1ead38", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 215, "payload_entropy": 5.2967592886748065, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 64, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8a695fe13f1e619d496fd77d97cce210a9ab0392", "event_fingerprint": "e3dacc09fb3f8b4b60988e5ef0c3778723e51ccb", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b55161923bfd52f23c0f0bf0408c2094", "payload_hash": "cbd9141d0dbe370d39efe5b15e1a6dd1", "path_pattern_hash": "cf5f67b633918a8bfbe3f2b4d6e8e9e1" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107 ", "method": "GET", "path": "\/.env~", "user_agent": "BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107 UP.Link\/6.2.3.15.0", "waf_tags": [ "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/.env~ HTTP\/1.1", "request_sample": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107 UP.Link\/6.2.3.15.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107", "evidence": { "method": "GET", "path": "\/.env~", "user_agent": "BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107 UP.Link\/6.2.3.15.0", "waf_tags": [ "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/.env~ HTTP\/1.1", "request_sample": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107 UP.Link\/6.2.3.15.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: BlackBerry8300\/4.2.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/107", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0834beecd3b1647f77cf27807585f708b552f8d5", "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Tentative d'exploit	Élevée	Moyen · 48
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /env.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /env.txt Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /env.txt HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /env.txt HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /env.txt HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "8343728e09cc5534aa355662af176824290e16ba", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "43063baf0fda73950dd575fa216e503f70ad04be", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 239, "payload_entropy": 5.431177491505892, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 2, "anomaly_count": 0, "campaign_key": "b4891d212379c43873fbd2b0397cc102257c1b79", "event_fingerprint": "98e31e8955b7594ee89209880e1b191bed6c1ab4", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d5b435b8abdaa4272f37db8d3f41393b", "payload_hash": "3506770abfdc91d268f0fef1d249ca5c", "path_pattern_hash": "4ff48f74005d677acf48e527b71c7273" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, lik", "method": "GET", "path": "\/env.txt", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env.txt HTTP\/1.1", "request_sample": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "method": "GET", "path": "\/env.txt", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env.txt HTTP\/1.1", "request_sample": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e7fe60464ecb4b119756ea13aa7886de4af2c37", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.txt Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.txt HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko/20081015 Fennec/1.0a1 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.txt HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko/20081015 Requête brute (extrait) GET /.env.txt HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko/20081015 Fennec/1.0a1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "a5d1fb4038518fe0ebb1893e348c7b185e0551c5", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "db658cd9f30d14f4f7b89e2ec27457776d31b406", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.274041879123376, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "f97cbc931f789df1d16bdcf0ca5e26901c8c0a2c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4265e407fd374471485c2088155c8a8d", "payload_hash": "fd751e2717b6298c266a95c02c7150c2", "path_pattern_hash": "bcf9f4a0a512e549570ca7fb20cc5789" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015", "method": "GET", "path": "\/.env.txt", "user_agent": "Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015 Fennec\/1.0a1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.txt HTTP\/1.1", "request_sample": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015 Fennec\/1.0a1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015", "evidence": { "method": "GET", "path": "\/.env.txt", "user_agent": "Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015 Fennec\/1.0a1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.txt HTTP\/1.1", "request_sample": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015 Fennec\/1.0a1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko\/20081015", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e1087cf391ad3c2546d3a40642f0c3aa873a106a", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Tentative d'exploit	Élevée	Moyen · 48
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /env.backup Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /env.backup HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G965U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /env.backup HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965U) AppleWebKit/537.36 (KHTML, l Requête brute (extrait) GET /env.backup HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "backup", "http_ua_hash": "2e2c19c1d95990a188ae2dc3e112475ddb923307", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "de881192e40b910ddadfeaa7d74737f8ac4fcb8e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.428028576815643, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 2, "anomaly_count": 0, "campaign_key": "b4891d212379c43873fbd2b0397cc102257c1b79", "event_fingerprint": "0f1a9900b45421dc0ddf8cd1c425d1e2eee26d9b", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0fc9f1f9e51b48f63de3565001461eb9", "payload_hash": "b70def2ee49b7ffad35868ceaa8c8502", "path_pattern_hash": "0913256c1ce2cf4361c479b44d591aa5" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, l", "method": "GET", "path": "\/env.backup", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env.backup HTTP\/1.1", "request_sample": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, l", "evidence": { "method": "GET", "path": "\/env.backup", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env.backup HTTP\/1.1", "request_sample": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, l", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e49652473684e51cf9a326891ae200f549c4cfc9", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.production.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.production.local Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.production Ligne de requête `GET /.env.production.local HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.production.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /.env.production.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "a9bf52155318772ae4e63c034a88f19baba59046", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "d3f1365c6401e671ba4f40a870e3ce46645aab05", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.3815819103736615, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "bd62066e62d6d580a07c79c44f037854400a3ed9", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0194" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.production" ], "pattern_ids": [ "pat-0191", "pat-0194" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3c2484f027975550dcd1a322f9a63052", "payload_hash": "f59363e3250e0855e8e25bd39f3a42d4", "path_pattern_hash": "a0a342b9319fca95b9114c90facec319" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.production.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/.env.production.local", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production.local HTTP\/1.1", "request_sample": "GET \/.env.production.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.production.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/.env.production.local", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production.local HTTP\/1.1", "request_sample": "GET \/.env.production.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.production.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5ab9659a02a3b3e67c55d08f2c6fd02422766302", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /api/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Version) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Version) Apple Requête brute (extrait) GET /api/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Version) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Conne Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "d1fe78cc4b2390aa57ab35fd24fafa28626a16ef", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "f5b7d21cf92d5caca6cd906725e72730e31bc18c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 272, "payload_entropy": 5.459818580255799, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "d19a9e44e9038ccd4bb026e8ec779734184cad63", "event_fingerprint": "2380b7be9982bd26621a617aaa8c01c9a3855202", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "89118e8e7adfb61feb0c5082572d1e14", "payload_hash": "a18c039549fcda0924b5882e8d601c05", "path_pattern_hash": "3c658e3b68f996f41891a76e1d05a9a5" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) Apple", "method": "GET", "path": "\/api\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env HTTP\/1.1", "request_sample": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) Apple", "evidence": { "method": "GET", "path": "\/api\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env HTTP\/1.1", "request_sample": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) Apple", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9150dd71fa3925f9e43dda1474d2f3eac8f60225", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Moyen · 47
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 8 Recommandation Surveiller Tags 950514:leak-1 http_backup_file_scan http_sensitive_path Cible HTTP GET /.env.dev.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.dev.local Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « leak-1 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.dev.local HTTP/1.1` User-Agent HTMLParser/1.6 Règles WAF leak-1 Payload (extrait) GET /.env.dev.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: HTMLParser/1.6 Accept-Charset: utf-8 Accept-Encoding: gzip Con Requête brute (extrait) GET /.env.dev.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: HTMLParser/1.6 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "4795231a22fb3723ee7614729d2f174075c02b4d", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "12559bd98a78482d9ce7a35ea95030c5164cc18e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.068901485416902, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 40, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 40, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8c27660d3db584b38633e86e1bd72a6daa966e42", "event_fingerprint": "e59b84fbfff7ceb0583d0d8fdc129fc894ab233c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 240, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2d2b2f462df541a5583d5751faedf94b", "payload_hash": "fec4813474f156c528a8062cfb078b6d", "path_pattern_hash": "168410cb363e5bff281032a79dc5b72d" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.dev.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: HTMLParser\/1.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "method": "GET", "path": "\/.env.dev.local", "user_agent": "HTMLParser\/1.6", "waf_tags": [ "950514:leak-1" ], "waf_rule_names": [ "leak-1" ], "request_line": "GET \/.env.dev.local HTTP\/1.1", "request_sample": "GET \/.env.dev.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: HTMLParser\/1.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.dev.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: HTMLParser\/1.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "evidence": { "method": "GET", "path": "\/.env.dev.local", "user_agent": "HTMLParser\/1.6", "waf_tags": [ "950514:leak-1" ], "waf_rule_names": [ "leak-1" ], "request_line": "GET \/.env.dev.local HTTP\/1.1", "request_sample": "GET \/.env.dev.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: HTMLParser\/1.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.dev.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: HTMLParser\/1.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "43d45ea66dcee73219c1f0dc07185ccd12502c14", "ban_policy": "advisory_monitor", "tags_list": [ "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /api/.env.local Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit/537.36 Requête brute (extrait) GET /api/.env.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "84c75482fdef0a4798619e9b7d389fd65ba79acd", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "edb025f9fa0e5ca4830590504e5c719dffe9f0d2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.437583469852692, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "d19a9e44e9038ccd4bb026e8ec779734184cad63", "event_fingerprint": "c794d6c3276f36d126c74ae9d7c16cd13b86b5fd", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3dd2d5718cccb3969b1019b3f0860581", "payload_hash": "1198292726124126a44b8a28e5bed39d", "path_pattern_hash": "593041543fc7e9468b6d0efddae98740" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 ", "method": "GET", "path": "\/api\/.env.local", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.local HTTP\/1.1", "request_sample": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/api\/.env.local", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.local HTTP\/1.1", "request_sample": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "164375d805c0d2bb6a87d78758d7ff310a8758e4", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 26 Recommandation Investiguer Tags 950316:lfi-14 950468:nosqli-3 950514:leak-1 950600:k8s-api Cible HTTP GET /api/v2/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /api/v2/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /api/v2/ Ligne de requête `GET /api/v2/.env HTTP/1.1` User-Agent wii libnup/1.0 Règles WAF lfi-14 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/v2/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: wii libnup/1.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connec Requête brute (extrait) GET /api/v2/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: wii libnup/1.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "3f4e5c87c193872106cfbb5d90285db4df3fe4ed", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "cc4b30112d6bf6eb67e9d97dbf1e56d5dce1ab0e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 143, "payload_entropy": 5.057527149946495, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "98cfd24c07b25a7a0a3228cdf752cee42bd99d52", "event_fingerprint": "40cca6a66c8096d633a1c8c177e256cdac89d915", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 185, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "matched_patterns": [ "pat-0213" ], "matched_pattern_names": [ "Probe \/api\/v2\/" ], "pattern_ids": [ "pat-0213" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "06587e20115dae1320821738f5e73854", "payload_hash": "4c84415dadb719e621e159b5facb299c", "path_pattern_hash": "45a8106651a0a44c3f11053706f8aead" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: wii libnup\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "method": "GET", "path": "\/api\/v2\/.env", "user_agent": "wii libnup\/1.0", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v2\/.env HTTP\/1.1", "request_sample": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: wii libnup\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: wii libnup\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "evidence": { "method": "GET", "path": "\/api\/v2\/.env", "user_agent": "wii libnup\/1.0", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v2\/.env HTTP\/1.1", "request_sample": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: wii libnup\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: wii libnup\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2a62b9991758522c3d318b4b91d2b13b1bc8f154", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950468:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_api_route_probe", "http_backup_file_scan", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 39 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /api/v1/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /api/v1/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /api/v1/ Ligne de requête `GET /api/v1/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/v1/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 Requête brute (extrait) GET /api/v1/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "59423626a08bd02f2b9e57d98fcf5e653cd00fbe", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "510d89ba7f87ce49d7697f92088f4049153aa93e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 247, "payload_entropy": 5.368109450972935, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 11, "anomaly_count": 0, "campaign_key": "7d0d4a5d1fb45a5b4d34a78036be1eef22e64599", "event_fingerprint": "1eb9a273f238ef29896767a58bd45ed7668ad4fb", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 185, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "matched_patterns": [ "pat-0212" ], "matched_pattern_names": [ "Probe \/api\/v1\/" ], "pattern_ids": [ "pat-0212" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f6be50818ab971b3803e8ee7540102bd", "payload_hash": "fdf90c7d67d06de815ff48f96114bdd7", "path_pattern_hash": "5df89d300eb37d420581ac8576ea9498" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4", "method": "GET", "path": "\/api\/v1\/.env", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4 (KHTML, like Gecko) Version\/5.0.2 Safari\/533.18.5", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v1\/.env HTTP\/1.1", "request_sample": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4 (KHTML, like Gecko) Version\/5.0.2 Safari\/533.18.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4", "evidence": { "method": "GET", "path": "\/api\/v1\/.env", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4 (KHTML, like Gecko) Version\/5.0.2 Safari\/533.18.5", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v1\/.env HTTP\/1.1", "request_sample": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4 (KHTML, like Gecko) Version\/5.0.2 Safari\/533.18.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/533.19.4", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6e58887247b517f69dccbe6c5dbcbe65691fca95", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_api_route_probe", "http_backup_file_scan", "http_k8s_probe", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.staging TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /api/.env.staging Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.staging HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.staging HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K Requête brute (extrait) GET /api/.env.staging HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "staging", "http_ua_hash": "fb35aa6d075efbf6c20bdfab4a318bb13334b704", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "558189df00dd1f382a665a69aadcd9f4c6685109", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.403459408058749, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "d19a9e44e9038ccd4bb026e8ec779734184cad63", "event_fingerprint": "9a17021bf81ca25bf74f30bfc155989aeb735e7a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b80f036707f051ea52220d84e31704a2", "payload_hash": "20a6904de5101e14e10eab8b2df8ba9c", "path_pattern_hash": "07bb9306fa50af07f9ffa6d9d05639e6" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/api\/.env.staging", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.staging HTTP\/1.1", "request_sample": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/api\/.env.staging", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.staging HTTP\/1.1", "request_sample": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (K", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cb029410f0237df01bc79c847d95d195296f5a68", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 38 Recommandation Investiguer Tags 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /api/.env.old Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « ssrf-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /api/.env.old HTTP/1.1` User-Agent AdsBot-Google ( http://www.google.com/adsbot.html) Règles WAF ssrf-3 nosqli-3 leak-1 leak-8 k8s-api Payload (extrait) GET /api/.env.old HTTP/1.1 Host: 62.3.50.33:82 User-Agent: AdsBot-Google ( http://www.google.com/adsbot.html) Accept-Charset: Requête brute (extrait) GET /api/.env.old HTTP/1.1 Host: 62.3.50.33:82 User-Agent: AdsBot-Google ( http://www.google.com/adsbot.html) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "old", "http_ua_hash": "d339cf5577510900d6ae7a2034a71a408566a4fc", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "1eaaed3d5813b8a0c46124d29705f048ce880ab8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 180, "payload_entropy": 5.096620768084978, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 10, "anomaly_count": 0, "campaign_key": "5e2d29fff875875c5e92a1acae65f3fa9344d8e7", "event_fingerprint": "31719037dda69b00c6d31cdb15caafc9444e0013", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "38b274f5c581c7410651422886fcbc13", "payload_hash": "3549a8f4536af65c8bd92bad6e9538ea", "path_pattern_hash": "f24df3f6a48f5ead7ac9d4853493d4fa" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)\r\nAccept-Charset:", "method": "GET", "path": "\/api\/.env.old", "user_agent": "AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)", "waf_tags": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api" ], "waf_rule_names": [ "ssrf-3", "nosqli-3", "leak-1", "leak-8", "k8s-api" ], "request_line": "GET \/api\/.env.old HTTP\/1.1", "request_sample": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)\r\nAccept-Charset:", "evidence": { "method": "GET", "path": "\/api\/.env.old", "user_agent": "AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)", "waf_tags": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api" ], "waf_rule_names": [ "ssrf-3", "nosqli-3", "leak-1", "leak-8", "k8s-api" ], "request_line": "GET \/api\/.env.old HTTP\/1.1", "request_sample": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: AdsBot-Google ( http:\/\/www.google.com\/adsbot.html)\r\nAccept-Charset:", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bed6082566514c6a2f66285dc0c3d928e7c2a7cc", "ban_policy": "advisory_investigate", "tags_list": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api", "http_backup_file_scan", "http_backup_path", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /api/.env.production Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.production HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /api/.env.production HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "252b93efa155a5637c584f729eef797ba6dba612", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "968e975abb5bec4d137f79208dfd090d8456c104", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.398004151703649, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 9, "anomaly_count": 0, "campaign_key": "e70ef21d8fc9810910cbcf7ee5fbe371b27b9c84", "event_fingerprint": "ea3fb9a8c9584c0b9c1a5348bb2dfd598df94cb0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1e6b2a724d1ae943a7a06e4531665258", "payload_hash": "c3b41fa3eb1c4a51a46add6e400d6b84", "path_pattern_hash": "3695b3884d13830f81357e8fc9151d2d" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 ", "method": "GET", "path": "\/api\/.env.production", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.production HTTP\/1.1", "request_sample": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/api\/.env.production", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.production HTTP\/1.1", "request_sample": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "42f730a83f53719d4b5f19921c24b1b57f81f4f9", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /api/.env.backup Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.backup HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; moto e5 plus Build/OPPS27.91-122-3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.126 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.backup HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; moto e5 plus Build/OPPS27.91- Requête brute (extrait) GET /api/.env.backup HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; moto e5 plus Build/OPPS27.91-122-3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.126 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "3998abd7ca1b3c85ad4e2ac4d02d2c58acfcb5b5", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "9dab8234c39ccb9ea2d77d85642de0c301ab4efb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 284, "payload_entropy": 5.427545749601186, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 9, "anomaly_count": 0, "campaign_key": "e70ef21d8fc9810910cbcf7ee5fbe371b27b9c84", "event_fingerprint": "2c21d6706f158301e7bcbe7bee331ccb54d9a60d", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7eeca09b89f3fc84e44293e4965f2d3b", "payload_hash": "9edfd63557a7fb57d3a1aa4dd0a930b4", "path_pattern_hash": "49a3b01836cfe2c6affa28c94f1fce0a" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-", "method": "GET", "path": "\/api\/.env.backup", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-122-3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.backup HTTP\/1.1", "request_sample": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-122-3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "payload_snippet": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-", "evidence": { "method": "GET", "path": "\/api\/.env.backup", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-122-3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.backup HTTP\/1.1", "request_sample": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-122-3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "payload_snippet": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus Build\/OPPS27.91-", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "45ecb9463598a2f766a12a49ebedc1829f518501", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 39 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /api/.env.bak Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.bak HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; MI 9) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 k8s-api Payload (extrait) GET /api/.env.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; MI 9) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /api/.env.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; MI 9) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "bak", "http_ua_hash": "637ce5322bb77a61de6800d960f9df95080fd8e7", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "db58915b70ec4f4897682eec5a7fd50dc2102271", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 247, "payload_entropy": 5.408075904608764, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 11, "anomaly_count": 0, "campaign_key": "8aedc9e2d1614829b3c36040d48d16edefb26c33", "event_fingerprint": "9ff1a6df9ed38391cdbf1ae300568c14d39b9490", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d14870c6fbb2acb77d15af60a1d43119", "payload_hash": "1253450c4b14f255f5b2e55746c94d81", "path_pattern_hash": "704472054da186f49a4245e261c91fda" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, lik", "method": "GET", "path": "\/api\/.env.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8", "k8s-api" ], "request_line": "GET \/api\/.env.bak HTTP\/1.1", "request_sample": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "method": "GET", "path": "\/api\/.env.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8", "k8s-api" ], "request_line": "GET \/api\/.env.bak HTTP\/1.1", "request_sample": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3d1dfe577d66206e4492649ef50fef773bac7775", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api", "http_backup_file_scan", "http_backup_path", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.dev TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /api/.env.dev Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.dev HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.dev HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit/537.36 (K Requête brute (extrait) GET /api/.env.dev HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "dev", "http_ua_hash": "592bb3de86699c826b92a6f269c5cf0b60adac6d", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "df0da649347f6e8b30ebfd6075798e279a79356e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.445559785807001, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 9, "anomaly_count": 0, "campaign_key": "e70ef21d8fc9810910cbcf7ee5fbe371b27b9c84", "event_fingerprint": "896b1de9368666eeb7fefbcee2914a0563404cd6", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "96388e8375c9c019f95583d6b452c123", "payload_hash": "4b674a9a1bdff387ed586657b828c024", "path_pattern_hash": "a65c42973e65ed0c7793c8c71a0195da" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/api\/.env.dev", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.dev HTTP\/1.1", "request_sample": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/api\/.env.dev", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.dev HTTP\/1.1", "request_sample": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit\/537.36 (K", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "efa2c499e4110016c07a0e2e234bb49347d1afa3", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /api/.env.prod Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.prod HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0) Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.prod HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0) A Requête brute (extrait) GET /api/.env.prod HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "prod", "http_ua_hash": "c14bf96833bdd8aa770bb9da7ac2822dec887995", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "a0523bde74b7800a5f62604ba67d5973949853e7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 194, "payload_entropy": 5.271226457128303, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 9, "anomaly_count": 0, "campaign_key": "e70ef21d8fc9810910cbcf7ee5fbe371b27b9c84", "event_fingerprint": "c841952c8e0405ce2c9ea94abc7f5037ec86b1db", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c6a2bcb6a6c371918bafda16a1164505", "payload_hash": "843f71cfce97f34c62e4e6fb77fcf685", "path_pattern_hash": "0d46dff1e6403d12ac8e9a297c932ed9" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\r\nA", "method": "GET", "path": "\/api\/.env.prod", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.prod HTTP\/1.1", "request_sample": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\r\nA", "evidence": { "method": "GET", "path": "\/api\/.env.prod", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.prod HTTP\/1.1", "request_sample": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\r\nA", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f7f5f84f63e77e22e9f406d113373ddd8002ec8d", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /staging/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /staging/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /staging/.env HTTP/1.1` User-Agent Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) WicKed/7.1.12344 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /staging/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; Profi Requête brute (extrait) GET /staging/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) WicKed/7.1.12344 Accept-Charset: utf-8 Accept-E Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "afd025b06b40b784279794656acbfbcaecfe5b00", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "111415a347404bdd37fcf414f912f654289a0484", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 292, "payload_entropy": 5.472740180685283, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 9, "anomaly_count": 0, "campaign_key": "a9dfc975daced8fcd89aa5a55c82bc33fa670d10", "event_fingerprint": "e74db1f028ed7d6436b5a737342ec26272b6ba99", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "48b77ab855ab2862ab797d6da303d70b", "payload_hash": "a7e22abb5e2ec8b7202a3ab95570b45f", "path_pattern_hash": "65b91a5bf45b2313cae0e22cf01533dc" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/staging\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profi", "method": "GET", "path": "\/staging\/.env", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/staging\/.env HTTP\/1.1", "request_sample": "GET \/staging\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344\r\nAccept-Charset: utf-8\r\nAccept-E", "payload_snippet": "GET \/staging\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profi", "evidence": { "method": "GET", "path": "\/staging\/.env", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/staging\/.env HTTP\/1.1", "request_sample": "GET \/staging\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344\r\nAccept-Charset: utf-8\r\nAccept-E", "payload_snippet": "GET \/staging\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profi", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "69c41d3ba7fcaaba836f15e11ad6e2a001a74596", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_staging", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /production/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /production/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /production/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /production/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /production/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "bc015ca793896994b398da81b73ea6411505c24f", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "0e5da18e94a87fd88e6a09d81109dbf41d7bea9b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.394367087683791, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "bd1a505a947e364660d91856aefae549c1424dac", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e6eb4f21da426bcec45322842c03b78a", "payload_hash": "96577427a74b2be27c6b033fb41cb7cb", "path_pattern_hash": "ea627d9d22b8cf889f18c35c4c7d909f" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/production\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/production\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/production\/.env HTTP\/1.1", "request_sample": "GET \/production\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/production\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/production\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/production\/.env HTTP\/1.1", "request_sample": "GET \/production\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/production\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2063644f26c088ab34e3f41ce607e3d5d3a40762", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 28 Recommandation Investiguer Tags 950316:lfi-14 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /v1/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /v1/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v1/.env HTTP/1.1` User-Agent SonyEricssonZ800/R1Y Browser/SEMC-Browser/4.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 Règles WAF lfi-14 nosqli-3 leak-1 Payload (extrait) GET /v1/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: SonyEricssonZ800/R1Y Browser/SEMC-Browser/4.1 Profile/MIDP-2.0 Configura Requête brute (extrait) GET /v1/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: SonyEricssonZ800/R1Y Browser/SEMC-Browser/4.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "3f29025821b3a94eaa79a10f577739f1a7d267f6", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "0f6d25494f66c35cd0bd7eb1054d443c9b0c6f63", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 228, "payload_entropy": 5.29290203485433, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "a0953b5f746f889175fb1393d5469e7be9c3245e", "event_fingerprint": "f08f799948bff78c930f172643663801876ca80c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8189347f53da54fe3964a69ee13bbe99", "payload_hash": "2575e618d6c75c2d4ada9e69f28d98c9", "path_pattern_hash": "a29d1f8ccacc51ac2e54fe6653b8d5f0" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configura", "method": "GET", "path": "\/v1\/.env", "user_agent": "SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "leak-1" ], "request_line": "GET \/v1\/.env HTTP\/1.1", "request_sample": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configura", "evidence": { "method": "GET", "path": "\/v1\/.env", "user_agent": "SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "leak-1" ], "request_line": "GET \/v1\/.env HTTP\/1.1", "request_sample": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configura", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f47e34028539c46a082fa7f46b71d4747735878c", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v3/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /v3/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v3/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 6.0; Le X620 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /v3/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Le X620 Build/MRA58K) AppleWebKit/537.3 Requête brute (extrait) GET /v3/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Le X620 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "73d0ffe91f171255677c4c78e15678f5000775f0", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "8c6c0cf35b21182c44d1fbe7c55901c2e77c5cbc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.450861753320522, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "828bea7b6427ebba83904ef3b3d9a450ce8a5106", "event_fingerprint": "713644c8fcc5a3fd685c3a0a9b6656e2252e1eef", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f7c1824f612605beecab6a5ef0f931ea", "payload_hash": "892d576fd28b748c13015d68c00acffd", "path_pattern_hash": "b9266b5e3818db8e42f016e0af085277" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.3", "method": "GET", "path": "\/v3\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobile Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v3\/.env HTTP\/1.1", "request_sample": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/v3\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobile Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v3\/.env HTTP\/1.1", "request_sample": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Le X620 Build\/MRA58K) AppleWebKit\/537.3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7cb9a0d38569f22842ffc2af99c8acfa8562bf5b", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 46 Recommandation Investiguer Tags 950086:sqli-21 950316:lfi-14 950326:rce-0 950468:nosqli-3 Cible HTTP GET /api/v3/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /api/v3/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « sqli-21 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /api/v3/ Ligne de requête `GET /api/v3/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; Mi Note 3 Build/OPM1.171019.019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/67.0.3396.87 XWEB/882 MMWEBSDK/190505 Mobile Safari/537.36 MMWEBID/35… Règles WAF sqli-21 lfi-14 rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/v3/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Mi Note 3 Build/OPM1.171019.019; Requête brute (extrait) GET /api/v3/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Mi Note 3 Build/OPM1.171019.019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/67.0.3396.87 XWEB/882 MMWEBSDK/190505 Mobile Safari/537.36 MMWEBID Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "9ead864eae776af34a3bfed185eea8d153ca079a", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "bd51d82ebe68616089e33c9b7e8bd3dca93e4339", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 407, "payload_entropy": 5.545110313961639, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 12, "anomaly_count": 0, "campaign_key": "43c11ecae862184c221b86e3fc11a2d68354549f", "event_fingerprint": "192d177c54d3859348a30f722af2e6cca164ce95", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 185, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "matched_patterns": [ "pat-0214" ], "matched_pattern_names": [ "Probe \/api\/v3\/" ], "pattern_ids": [ "pat-0214" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "97f1748f3d699340948669a768fbd692", "payload_hash": "525d55e1c9c35256edb4bb1113baae6d", "path_pattern_hash": "04909e92bace7d0131f14c363849c629" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019; ", "method": "GET", "path": "\/api\/v3\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/67.0.3396.87 XWEB\/882 MMWEBSDK\/190505 Mobile Safari\/537.36 MMWEBID\/358 MicroMessenger\/7.0.5.1440(0x27000537) Process\/tools Ne\u2026", "waf_tags": [ "950086:sqli-21", "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "sqli-21", "lfi-14", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "request_sample": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/67.0.3396.87 XWEB\/882 MMWEBSDK\/190505 Mobile Safari\/537.36 MMWEBID", "payload_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019;", "evidence": { "method": "GET", "path": "\/api\/v3\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/67.0.3396.87 XWEB\/882 MMWEBSDK\/190505 Mobile Safari\/537.36 MMWEBID\/358 MicroMessenger\/7.0.5.1440(0x27000537) Process\/tools Ne\u2026", "waf_tags": [ "950086:sqli-21", "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "sqli-21", "lfi-14", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "request_sample": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/67.0.3396.87 XWEB\/882 MMWEBSDK\/190505 Mobile Safari\/537.36 MMWEBID", "payload_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Mi Note 3 Build\/OPM1.171019.019;", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4a73d17bdeeee16d11130703077bb74c2115ade1", "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_api_route_probe", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /prod/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /prod/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /prod/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /prod/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.7 (KHTM Requête brute (extrait) GET /prod/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "a9c9131f21bbd498611e10f71331c7dd5e9f7d05", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "7702579be3ca2d14cb80324c6a749f13cc1e6ce1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.407833667579817, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "d2be85286b316f43ae995ef172a1bcd3bd7a04e0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "171b677823d70df4d8448ff04ae83405", "payload_hash": "7e9965890251da1341ccd1f0d1fe34a6", "path_pattern_hash": "e986d9a8713d4af4d188b7a61ad378ee" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTM", "method": "GET", "path": "\/prod\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/prod\/.env HTTP\/1.1", "request_sample": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTM", "evidence": { "method": "GET", "path": "\/prod\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/prod\/.env HTTP\/1.1", "request_sample": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTM", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "146f00d7bdd2bc75e22724522107050f178d5e72", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v2/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /v2/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v2/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /v2/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /v2/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "fb421555db09fced69648f6726af353413309d8f", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "79d69dbab75f7603ce6f8ff1846eda4ce95a3fd2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.411540620729484, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "828bea7b6427ebba83904ef3b3d9a450ce8a5106", "event_fingerprint": "97b58607411474d85b545255dc29049f847f0e8c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6915d10c5bac758cd8969be33236d029", "payload_hash": "32320e33b8cb97c69eaae01b4fa17f79", "path_pattern_hash": "ea63ee477c90ac313ab228a937b8deee" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/v2\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v2\/.env HTTP\/1.1", "request_sample": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/v2\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v2\/.env HTTP\/1.1", "request_sample": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f7c0f2e98dd92602dfda7acb21248cccd9bac1bf", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /qa/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /qa/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /qa/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Reeder/3.2 Safari/605.1.15 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /qa/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KH Requête brute (extrait) GET /qa/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Reeder/3.2 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "5e94862642bf6226f7d90a29b61f4cea938ae052", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "347f368cf7019820ddbef16e4ba72b557e9ffd91", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.358679159333535, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "828bea7b6427ebba83904ef3b3d9a450ce8a5106", "event_fingerprint": "b8fa93cb48a3aca1e764e39d4debc2cc41ce51e1", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1fa75d0f80798ea8c4dd96917af34a74", "payload_hash": "7d1b5017675796b089726b185122553a", "path_pattern_hash": "304ba9ff810db7ae18a3843216ad1c4b" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KH", "method": "GET", "path": "\/qa\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Reeder\/3.2 Safari\/605.1.15", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/qa\/.env HTTP\/1.1", "request_sample": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Reeder\/3.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KH", "evidence": { "method": "GET", "path": "\/qa\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Reeder\/3.2 Safari\/605.1.15", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/qa\/.env HTTP\/1.1", "request_sample": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Reeder\/3.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KH", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d1842eb3aa4d58a83716df159c725181caf80c76", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /dev/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /dev/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /dev/.env HTTP/1.1` User-Agent Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es50 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /dev/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Geck Requête brute (extrait) GET /dev/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es50 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "cb4b1b750e753434b1d9a07b45ceeb9485f74750", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "95dbd9173b5580a94a3583c1e8d31bee303be7a7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.401230877090016, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "39a8af74187507424d747d3d502f92a50b72ae11", "event_fingerprint": "c4a2037ca765fb6f7783c13a72d7bcbcc6aa56d2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6ada5f944d3e9ea5ff2aae41c3b4d633", "payload_hash": "3ba054a5b4cf7ff3bab347ecf3e2e35c", "path_pattern_hash": "5776ea19ec2f88a0568ff0bc7de6e909" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Geck", "method": "GET", "path": "\/dev\/.env", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 es50", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/dev\/.env HTTP\/1.1", "request_sample": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 es50\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Geck", "evidence": { "method": "GET", "path": "\/dev\/.env", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 es50", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/dev\/.env HTTP\/1.1", "request_sample": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 es50\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Geck", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6a9a83e49702ff24b06caa7b8852cdc54caf5adb", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_dev", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 14 Recommandation Investiguer Tags 950468:nosqli-3 950514:leak-1 http_backup_file_scan http_sensitive_path Cible HTTP GET /stage/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /stage/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /stage/.env HTTP/1.1` User-Agent Uzbl (Webkit 1.3) (Linux i686 [i686]) Règles WAF nosqli-3 leak-1 Payload (extrait) GET /stage/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686]) Accept-Charset: utf-8 Accept- Requête brute (extrait) GET /stage/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686]) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "d26eab59ef7aebc1c5985aae4552f1ebd7aa0558", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "737ca670329de18dc663a9b1a810e4d99c607cf0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 165, "payload_entropy": 5.214825227997919, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 64, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c4c4f1b7614489cb01f9ab905b7d15c6b597ab24", "event_fingerprint": "758150bebdba6d1cef13c284b210d78ef0a30194", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "91f6acd3814db78860f3895180f75f5e", "payload_hash": "de35f5ddb7b112fd224794db00e6816c", "path_pattern_hash": "25b2f069e3141e0796938ca9e4e845aa" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\r\nAccept-Charset: utf-8\r\nAccept-", "method": "GET", "path": "\/stage\/.env", "user_agent": "Uzbl (Webkit 1.3) (Linux i686 [i686])", "waf_tags": [ "950468:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/stage\/.env HTTP\/1.1", "request_sample": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\r\nAccept-Charset: utf-8\r\nAccept-", "evidence": { "method": "GET", "path": "\/stage\/.env", "user_agent": "Uzbl (Webkit 1.3) (Linux i686 [i686])", "waf_tags": [ "950468:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/stage\/.env HTTP\/1.1", "request_sample": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\r\nAccept-Charset: utf-8\r\nAccept-", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9f10c3bd1e348e321c665dbfdea301f48f101610", "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /development/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /development/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /development/.env HTTP/1.1` User-Agent Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /development/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38 Requête brute (extrait) GET /development/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "ece89018f8e51dcdb25431bef4142f642a506f93", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "368a782b06d2e3f08e91fcad6aa099df587b3caa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 199, "payload_entropy": 5.272536440139591, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "6170ac77407eeaa48430bfd6ffc8c3473d64411f", "event_fingerprint": "e21b36d981af3583be6ccd1f8aaa86f997991e20", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3ef775987e41dcc313d41d88786ef3b6", "payload_hash": "273de0639adf8040c889254803a0391d", "path_pattern_hash": "5ac5643a22156fcbe040fcd2350884e7" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38", "method": "GET", "path": "\/development\/.env", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/development\/.env HTTP\/1.1", "request_sample": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38", "evidence": { "method": "GET", "path": "\/development\/.env", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/development\/.env HTTP\/1.1", "request_sample": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c5b519db87640f5bd364625e927be0a071c68fc9", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /test/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /test/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /test/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko/20080303 SeaMonkey/1.1.8 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /test/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko/20080303 S Requête brute (extrait) GET /test/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko/20080303 SeaMonkey/1.1.8 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "2d8bcb907bf81985d29ed9ad09c744bea8258b71", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "8197cec9b1d84f19de1c5b10c28917030b9542e4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.224527473769411, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "e8f556317f0fb6c1005a94ef5dfce3f5a74dd568", "event_fingerprint": "d62bb94a1bbb29bb04d177e0b1d4622b45cc79e7", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a7cbfa848ac307add6c1512eb30c65d5", "payload_hash": "70feb086fe46240b27071e1b87838219", "path_pattern_hash": "a0f6f48aed881c23044b32112fcbe5cd" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/test\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 S", "method": "GET", "path": "\/test\/.env", "user_agent": "Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/test\/.env HTTP\/1.1", "request_sample": "GET \/test\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/test\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 S", "evidence": { "method": "GET", "path": "\/test\/.env", "user_agent": "Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/test\/.env HTTP\/1.1", "request_sample": "GET \/test\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/test\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 S", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "165dad8cc4bf57814f7d99188949196f49f5389b", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_test", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /uat/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /uat/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /uat/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /uat/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /uat/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "17122a49c4cf7070f9a1d61fe3e60a0482e9abba", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "1eb2933a38e1b26e0106588b5505e9710f93d6fb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.403626035873637, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "a2c22a6420185760b9219155e7c8580c62e936e2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "40447121961eef0f767d2ee7795cf127", "payload_hash": "f58f0b1c2d5d26b91728f570b67fecd3", "path_pattern_hash": "1a8fcb54c8457aab1171c5a3ff6b1128" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/uat\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/uat\/.env HTTP\/1.1", "request_sample": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/uat\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/uat\/.env HTTP\/1.1", "request_sample": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(7) play) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c2eace081db30aee7941b6e8a91bb111d768d310", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /app/.env.local Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/10.9.7-g Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build/N2G47 Requête brute (extrait) GET /app/.env.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/10.9.7-g Acc Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "3a11fde199781275f7211e7cad66b1631ceb098b", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "6b35726d908ca1441d48958552cc4f0c6d6cdbcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 320, "payload_entropy": 5.459299845268668, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "8660db8120d5a6a5a07f5bdfe7de84249a3b8088", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e208e535d8b7c8f8ceceb97d288ce28c", "payload_hash": "27144202863e9198472bf7501fd323f3", "path_pattern_hash": "d0aea5366423bcf3f26207cfc3fa52c7" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47", "method": "GET", "path": "\/app\/.env.local", "user_agent": "Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47H) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.7-g", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.local HTTP\/1.1", "request_sample": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47H) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.7-g\r\nAcc", "payload_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47", "evidence": { "method": "GET", "path": "\/app\/.env.local", "user_agent": "Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47H) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.7-g", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.local HTTP\/1.1", "request_sample": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47H) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.7-g\r\nAcc", "payload_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.1.2; el-gr; Redmi 4X Build\/N2G47", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3973454bc498464b305c0df0d40e1a0a7fd4a0c0", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /app/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /app/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "78b3da388f07125922275ece3097b6f15cda702b", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "628b9cb47d9f8d6e8fddc1b7d3cebf1133d17f4f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.383115723599998, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "04f0e23f049a0409291883528acef3a530eaff24", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2fe5bca2bb102783ce93b1df880741ca", "payload_hash": "81e9a0552888ed8ef6bdb60324c49d39", "path_pattern_hash": "6215588c522bb159cbcefac1cb9fb1de" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/app\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/app\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env HTTP\/1.1", "request_sample": "GET \/app\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/app\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env HTTP\/1.1", "request_sample": "GET \/app\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e3fb411bfb00ab353199ed39ffd15bae88bf7552", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /app/.env.prod Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.prod HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/76.0.3809.87 Chrome/76.0.3809.87 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.prod HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Ge Requête brute (extrait) GET /app/.env.prod HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/76.0.3809.87 Chrome/76.0.3809.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "prod", "http_ua_hash": "b0743359cca000a94882207e34f02c84ce034c0e", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "ee922ae5907bc48e4659f274d485f8c67812795b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.4550084543447985, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "1ee44c11c949fbdbc19f38227643b59e7fc7c470", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "90e607b816a82867de956a7806fccdec", "payload_hash": "19034b3a71481baa7d099c9ed9103564", "path_pattern_hash": "22e14c6f65ce5c9bdbd96012d1745d82" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "method": "GET", "path": "\/app\/.env.prod", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.87 Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.prod HTTP\/1.1", "request_sample": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.87 Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "evidence": { "method": "GET", "path": "\/app\/.env.prod", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.87 Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.prod HTTP\/1.1", "request_sample": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.87 Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3be2e4dc719b8b9fd2576fc50eb31fc1c6fdcb49", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /app/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /app/.env.production Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.production HTTP/1.1` User-Agent iTunes/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca) Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.production HTTP/1.1 Host: 62.3.50.33:82 User-Agent: iTunes/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca) A Requête brute (extrait) GET /app/.env.production HTTP/1.1 Host: 62.3.50.33:82 User-Agent: iTunes/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "c4a0fe09bc991f38f2762ac98ebb299ccaac5c38", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "9f1a3b476954729097b55b44dc605e9187baaeeb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 194, "payload_entropy": 5.189860597888304, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "e172cb3a8db13dd0d8b5067113621dd672784d2e", "event_fingerprint": "2f67c16acaf5e9d7dd9166746c4634621d2c2e75", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9d8a676a5e70446588dc3ff902297c42", "payload_hash": "db5f7c60920286b5640622d0c69ecbe9", "path_pattern_hash": "129b91fce99c27e6763c24ece35d5295" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)\r\nA", "method": "GET", "path": "\/app\/.env.production", "user_agent": "iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.production HTTP\/1.1", "request_sample": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)\r\nA", "evidence": { "method": "GET", "path": "\/app\/.env.production", "user_agent": "iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.production HTTP\/1.1", "request_sample": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: iTunes\/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)\r\nA", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4b9d43816b6e79d47e8cfd7ac72e8e6f69f9c09b", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /app/.env.backup Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.backup HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3722.400 QQBrowser/10.5.3763.400 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.backup HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /app/.env.backup HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3722.400 QQBrowser/10.5.3763.400 Accept-Charset: utf-8 Accept-Encoding Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "6bdc83be1502cceec28399be1549bf9ea96387d9", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "b42013d9fc6faf7024bf195a915bf9a177806a2f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 285, "payload_entropy": 5.419225898486543, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "5cd931629495177326bb137e646848367522cdfa", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "607b163a5ea2eb38609e341d7820bca4", "payload_hash": "9edb08f47255483b0f2f112938977883", "path_pattern_hash": "114733505d40fc8a9280b409ddd76598" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/app\/.env.backup", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3763.400", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.backup HTTP\/1.1", "request_sample": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3763.400\r\nAccept-Charset: utf-8\r\nAccept-Encoding", "payload_snippet": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/app\/.env.backup", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3763.400", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.backup HTTP\/1.1", "request_sample": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3763.400\r\nAccept-Charset: utf-8\r\nAccept-Encoding", "payload_snippet": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e2fa5b8278928ace6bd71ad6185ac404bac735ee", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /app/.env.bak Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.bak HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; moto g(6)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /app/.env.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; moto g(6)) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /app/.env.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; moto g(6)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "bak", "http_ua_hash": "031ff0258154d1eac873b26f3492f9a96a7bd2d9", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "675fe9576f3ec7add08a15dd0c540b55e5bbfdec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.400084199665182, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 9, "anomaly_count": 0, "campaign_key": "11770b663ddcbc64ccd759f182e5625d28c841f4", "event_fingerprint": "a5e9fdb1f4884b53a7af9ce154b8fc334e547354", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2f37b314141013853374c7f76ffa74e", "payload_hash": "0270addb9bac305d25e06f0784e4862b", "path_pattern_hash": "a68a9dfeaee6097716a18c2b9f43c5f9" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/app\/.env.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/app\/.env.bak HTTP\/1.1", "request_sample": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/app\/.env.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/app\/.env.bak HTTP\/1.1", "request_sample": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7d57ceb2aefae83ca1ddeee5b78c3cb8b5fce8e8", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.dev TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /app/.env.dev Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.dev HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.dev HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 Requête brute (extrait) GET /app/.env.dev HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "dev", "http_ua_hash": "6c68b31e4afe613651be3d49fd3f6f12f40168c0", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "df5aa2d688155147d78025f13efee7d00a0eafd8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.4376727615516876, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "97f0e7d08611200c4625dc2056186f111aa7a097", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "77c7bee56c3a61cc8dc4c726a4bc15e4", "payload_hash": "6303d1ac76d545a0de88f9f4ff0322c4", "path_pattern_hash": "80cfd304d2c6517de5f460ebde85ca3d" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 ", "method": "GET", "path": "\/app\/.env.dev", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.dev HTTP\/1.1", "request_sample": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/app\/.env.dev", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.dev HTTP\/1.1", "request_sample": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e91221db5d4b8c7e088aee7c2b3332a0f5794bb1", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /app/.env.old Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.old HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/8.2 Chrome/63.0.3239.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /app/.env.old HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build/PPR1.180610.0 Requête brute (extrait) GET /app/.env.old HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/8.2 Chrome/63.0.3239.111 Mobile Safari/537.36 Accept-Charset: utf-8 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "old", "http_ua_hash": "b1db1b6711c27a4fa5cf6a9f8ea82819e09de87d", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "ad318b5cc7cc0c1bf7e3b724fbebccf0a8e6ad42", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 300, "payload_entropy": 5.502251161762792, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 9, "anomaly_count": 0, "campaign_key": "11770b663ddcbc64ccd759f182e5625d28c841f4", "event_fingerprint": "4799f3a30df09f3b1e77fbe780b0a68b0d4db6c6", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cf2d56203cddd77aaa519afd5a80048e", "payload_hash": "27bfa2ab5d2fbef5cb512a30063cfd7b", "path_pattern_hash": "8ac2cfa932003fc4c8032f73eb2729b9" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.0", "method": "GET", "path": "\/app\/.env.old", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/8.2 Chrome\/63.0.3239.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/app\/.env.old HTTP\/1.1", "request_sample": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/8.2 Chrome\/63.0.3239.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\n", "payload_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.0", "evidence": { "method": "GET", "path": "\/app\/.env.old", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/8.2 Chrome\/63.0.3239.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/app\/.env.old HTTP\/1.1", "request_sample": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/8.2 Chrome\/63.0.3239.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\n", "payload_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960F Build\/PPR1.180610.0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "842676812fb7d2bd6e43ab86538f941aa2a44a1c", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.staging TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /app/.env.staging Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.staging HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.staging HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /app/.env.staging HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "staging", "http_ua_hash": "b1e7dd6d29e880c014bdd0f2b62522a104801cab", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "e84f59fbbec8a04fdfc3078fbdf0ae4fd69640c6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 244, "payload_entropy": 5.399313744415246, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "782ce0e62d9b5c5dfa958ca59a58bcfdd1f7f15c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "94095ff7e391a8e3a58b49f3a1340809", "payload_hash": "711b8b4d3e28d83046222bb6462232a2", "path_pattern_hash": "5a281530de78ccf813317373171371c8" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/app\/.env.staging", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.staging HTTP\/1.1", "request_sample": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/app\/.env.staging", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.staging HTTP\/1.1", "request_sample": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "de14a7e926670ea83600a9d4e4adf20afaecb3ee", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /app/api/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/api/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/api/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /app/api/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "cdc17bd51ab1f8511346e49d1eddfeb06b6057f4", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "a26af0cb127afb7f53aace7ab18a175b4d8a51bd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.406563934616501, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "acc055ddee38301466885eb6e536478387cef8a0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6e1fbfb722026fc2fea44003247fc8bc", "payload_hash": "7590aa7a46012afa59a0a1aa7052444b", "path_pattern_hash": "9328998b0872bf59d928235746a301f6" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/app\/api\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/api\/.env HTTP\/1.1", "request_sample": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/app\/api\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/api\/.env HTTP\/1.1", "request_sample": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "48ab09895e1f5ed8d784c905d3831b5b41dcc2b5", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /app/backend/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/backend/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/backend/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KH Requête brute (extrait) GET /app/backend/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "89e6abe6a3f1d5a391ac7c0eb8cf70acf5ba31dd", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "97ef8b86f35b56a86d5dbe6549b6162a1d5ef49e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.435159882098846, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "415b01fc0e5c15c87288eb5468af6764cdd2d99f", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "44b94a6902ea38a9e8505e05db84b069", "payload_hash": "911e915acbe9413752854ceb2057a8a2", "path_pattern_hash": "288b39c98eb1f440a224c00537d9552f" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/app\/backend\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/backend\/.env HTTP\/1.1", "request_sample": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/app\/backend\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/backend\/.env HTTP\/1.1", "request_sample": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KH", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4ff15d1e9b50657076893e1cfb8c95a36fe3f345", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /backend/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 Requête brute (extrait) GET /backend/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "4184044bad7ba51283d3e6840c5dbec309a6ef27", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "43427b722c17a9a0bc6fc425a8ca9501d2c985f0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.376534522381449, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "104d24fc0af25533f5462e38af4eba93c25e6a11", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2eaa9eb4cc81509736c0f74aaadee18f", "payload_hash": "8a858aca6110d54c7d5eb73ef434ebd5", "path_pattern_hash": "1ffd9afa4ff51d558fbb13c458726c9c" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 ", "method": "GET", "path": "\/backend\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env HTTP\/1.1", "request_sample": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/backend\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env HTTP\/1.1", "request_sample": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dd3c40162a45d4206bce09df6e3b4e5293edf42a", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /backend/.env.local Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/5 Requête brute (extrait) GET /backend/.env.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "b3970182b67098d11a430fd4d67f51464465054f", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "7a997ecf8c7c3ade11101024aba12e58dee560af", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.411920248341092, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "f46e09a486bfe192a590c9be4766535d03f1e59b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5d16faaeaca0e0a05462f6520cd0ed8d", "payload_hash": "40923dde28151ab58cec155d02c3f9cc", "path_pattern_hash": "6e2a711f7323df4e4b7b37b3c8fb7ec7" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/5", "method": "GET", "path": "\/backend\/.env.local", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.local HTTP\/1.1", "request_sample": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/backend\/.env.local", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.local HTTP\/1.1", "request_sample": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea322a2f0920e5daa924665639df8c0dd773616e", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /backend/.env.prod Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.prod HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env.prod HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /backend/.env.prod HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "prod", "http_ua_hash": "4b34faf3bb1b579874fe2a9de9ae1f9c2939f5e1", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "ece1b00dd116de2d5cd1e616b647fb67b7d3b035", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.43796155931392, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "49b330a986f3034fe55a30e7dcdbc02faf87e0ab", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fdb80025e99489fe497e7387349cd0a4", "payload_hash": "11e3a9bff97de47c695997d59fadd2fe", "path_pattern_hash": "06b37c283e0032a53442bbe10821cfeb" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "method": "GET", "path": "\/backend\/.env.prod", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.prod HTTP\/1.1", "request_sample": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "method": "GET", "path": "\/backend\/.env.prod", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.prod HTTP\/1.1", "request_sample": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "28f3299ab7fb54e96fe7179d33f8577adccde8d7", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /backend/.env.production Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env.production HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; U; Android 1.0; en-us; dream) AppleW Requête brute (extrait) GET /backend/.env.production HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "e0e4d66b08dfd8224529e383fcad844f8a7b0fb4", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "f5bb9f02b8945472030d827baea0ca721346631c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.3178820139505465, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "72ebdd509e8434ac60b45e83bcc0ce433e5121ed", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8b37155da47f709a193143ea98ca253a", "payload_hash": "f40cd5437a36660a750f15d5a95b1532", "path_pattern_hash": "36d1a8d01ff9d9e501d856bd9686d325" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleW", "method": "GET", "path": "\/backend\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit\/525.10 (KHTML, like Gecko) Version\/3.0.4 Mobile Safari\/523.12.2", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.production HTTP\/1.1", "request_sample": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit\/525.10 (KHTML, like Gecko) Version\/3.0.4 Mobile Safari\/523.12.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleW", "evidence": { "method": "GET", "path": "\/backend\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit\/525.10 (KHTML, like Gecko) Version\/3.0.4 Mobile Safari\/523.12.2", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.production HTTP\/1.1", "request_sample": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit\/525.10 (KHTML, like Gecko) Version\/3.0.4 Mobile Safari\/523.12.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.0; en-us; dream) AppleW", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1d8abb986d7ce03dc2e665efc9059c200aac3818", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /backend/.env.backup Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.backup HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 4.4.4; Nexus 7 Build/KTU84P) AppleWebKit/537.36 (KHTML like Gecko) Chrome/36.0.1985.135 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env.backup HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; Nexus 7 Build/KTU84P) App Requête brute (extrait) GET /backend/.env.backup HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; Nexus 7 Build/KTU84P) AppleWebKit/537.36 (KHTML like Gecko) Chrome/36.0.1985.135 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "eaffd19466b40201afc74c1895732f48a659310f", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "010b38f2c3ba3880210fba1c683062ead6b6ee06", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 266, "payload_entropy": 5.449540545414159, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "3fd33b7861be81abb04778fda95f4de08e63df4b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f8a8bea4d7391eb9891620a4be35b125", "payload_hash": "89290c7f9f7f7df75ec88ae540c7daa9", "path_pattern_hash": "d21da08f9b6364ea0d2550ff45214b03" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) App", "method": "GET", "path": "\/backend\/.env.backup", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.backup HTTP\/1.1", "request_sample": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) App", "evidence": { "method": "GET", "path": "\/backend\/.env.backup", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.backup HTTP\/1.1", "request_sample": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) App", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a843703d14306191e1a01b7f66b7048de0524c32", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /backend/.env.bak Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.bak HTTP/1.1` User-Agent HTC-ST7377/1.59.502.3 (67150) Opera/9.50 (Windows NT 5.1; U; en) UP.Link/6.3.1.17.0 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /backend/.env.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: HTC-ST7377/1.59.502.3 (67150) Opera/9.50 (Windows NT 5.1; U; en Requête brute (extrait) GET /backend/.env.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: HTC-ST7377/1.59.502.3 (67150) Opera/9.50 (Windows NT 5.1; U; en) UP.Link/6.3.1.17.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "bak", "http_ua_hash": "cde36e9129cdba07270e4d382bf3b71e62b365fe", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "634ed927b1f303dd63cc0a7dc5f7e8b5a6847ee7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 217, "payload_entropy": 5.310064966170095, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 9, "anomaly_count": 0, "campaign_key": "11770b663ddcbc64ccd759f182e5625d28c841f4", "event_fingerprint": "be145f8c05df65ac923497f64c63d467e59e9a2e", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea721dc2ca94328d48b3bb4afb43563f", "payload_hash": "a3c6b6ccf63bb458c63abcbf415f7f37", "path_pattern_hash": "6679bce94c041ed02cf99c5001176812" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en", "method": "GET", "path": "\/backend\/.env.bak", "user_agent": "HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en) UP.Link\/6.3.1.17.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/backend\/.env.bak HTTP\/1.1", "request_sample": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en) UP.Link\/6.3.1.17.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en", "evidence": { "method": "GET", "path": "\/backend\/.env.bak", "user_agent": "HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en) UP.Link\/6.3.1.17.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/backend\/.env.bak HTTP\/1.1", "request_sample": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en) UP.Link\/6.3.1.17.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: HTC-ST7377\/1.59.502.3 (67150) Opera\/9.50 (Windows NT 5.1; U; en", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1de3ff18cf453af6ee87e7ef54939816eec2a545", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }

8.230.14.61

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence