Détails IP 8.230.14.61

Synthèse exécutive

Profil de menace

Score de risque 69/100 Élevé

Première observation 04/06/2026 23:22 UTC

Dernière observation 04/06/2026 23:22 UTC

Événements (période) 302

MITRE ATT&CK principal —

risque 69/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%

Comparaison ASN / FAI

ASN 396982 · 8.230.0.0/19 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 302 événements sur la période pour cette IP.

205.210.31.83 Sonde PostgreSQL 19/06/2026 21:28 UTC
147.185.132.105 Sonde port 19/06/2026 21:27 UTC
35.203.211.242 Scanner web 19/06/2026 21:27 UTC
162.216.150.241 Scan vulnérabilités 19/06/2026 21:27 UTC
35.203.210.248 Scan vulnérabilités 19/06/2026 21:27 UTC
35.203.210.164 Scanner web 19/06/2026 21:27 UTC
198.235.24.44 Sonde PostgreSQL 19/06/2026 21:27 UTC
35.203.210.224 Scanner web 19/06/2026 21:27 UTC

Événements (filtres)

302

Première observation

04/06/2026 23:22 UTC

Dernière observation

04/06/2026 23:22 UTC

Dernière activité (filtres)

04/06/2026 23:22 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

—

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 151 TLS TCP 151

HTTP

151

TLS

151

Géolocalisation

Origine réseau déclarée

Corée du Sud unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 82 config_file_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Aperçu payload

GET /portal/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit/537.36 (KH

Port / service

Recommandation

Investiguer

Confiance

100%

Famille de menace

path_traversal config_leak_scan

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

302 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

302 événement(s) — page 3/7

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /dist/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /dist/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /dist/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /dist/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit/537.36 (KH Requête brute (extrait) GET /dist/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "036a7e6c03f2a643144624e5e69614553b17760e", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "81857e1267b33a1f581fba5ddd161461d38f8919", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.393051713716137, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "f58d8a7d99940008af21a90c13cbee04a3353cc7", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6de30378f51ed28a07416bafb29cc7f4", "payload_hash": "998ec75e170edfe27d632788f00710fa", "path_pattern_hash": "66871996c0444a7924edba6da98b9137" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/dist\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/dist\/.env HTTP\/1.1", "request_sample": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/dist\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/dist\/.env HTTP\/1.1", "request_sample": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.36 (KH", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1bea8d518e1d6ca9e3cb98e907c45e1e878f1cbf", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /deploy/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /deploy/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /deploy/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /deploy/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 ( Requête brute (extrait) GET /deploy/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "b4e50d21f72ed3da4be8e019b2bb1b2f8b83cb70", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "88f51b1ca7bef99bb6c035fd80f97ade7f3602a8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.429822744138454, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "32b0449ab7fe80fd63c931cd579f3ed4c721027e", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3077cb35c807e895e33f3917db3e95f", "payload_hash": "d81280150bc53989f317487d318c65b9", "path_pattern_hash": "cf92621b9e3f2982786aa63fff3e305e" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit\/537.36 (", "method": "GET", "path": "\/deploy\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/deploy\/.env HTTP\/1.1", "request_sample": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/deploy\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/deploy\/.env HTTP\/1.1", "request_sample": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4c20c1b8a5d500f7e3b252d4179b1dded27f0a56", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /build/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /build/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /build/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /build/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (K Requête brute (extrait) GET /build/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "24cc4394b5ebc83542eafb6717ef25472c22cc34", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "2d5b68c8e6ed1e8f4f16e52e678eb8949566126b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.421795877296837, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "e3d53cd722148da13315fecdfea9c65509c7c9a5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b629577c1771fb3549c2cc5a5fe2c3d8", "payload_hash": "a85884301cd925ae62c7f255e295340e", "path_pattern_hash": "9c0720be539cb7af2988746580f75126" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/build\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/build\/.env HTTP\/1.1", "request_sample": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/build\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/build\/.env HTTP\/1.1", "request_sample": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (K", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "caa51bd21725b19e28c0ff7f1b7d7eeeb2512a66", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /tmp/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /tmp/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /tmp/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /tmp/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Requête brute (extrait) GET /tmp/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "9fe1d434762cf4ac057833518979290540fcab3d", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "606cb8ac14dde0b6a700154242812cc24d72a39a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 196, "payload_entropy": 5.292838891892078, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "d6996fd09c4cf418059bd8f2dcbf56ad9b3ceec3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9e891955b533973e79af7e6349946bd1", "payload_hash": "ef3de46ef03bf9404b070eb8370388f3", "path_pattern_hash": "4238aa7c586fdde889d3bc23ec72292d" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r", "method": "GET", "path": "\/tmp\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/tmp\/.env HTTP\/1.1", "request_sample": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "evidence": { "method": "GET", "path": "\/tmp\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/tmp\/.env HTTP\/1.1", "request_sample": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3b8d42002af7dd77e219692bb9dad3c474345813", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /release/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /release/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /release/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E) Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /release/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/2010 Requête brute (extrait) GET /release/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "9c6f4d33e593acd554149a1d6c4e7312d797bc2c", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "3f4c975c51cd1d3df84592564ed06afe4e782992", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 247, "payload_entropy": 5.335847063107422, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "3d698ac58a81451374501d9f82e2a69047c61ff6", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7cd5846c1fb73cfba66259c27b4ab701", "payload_hash": "5704ff0bd2b67814441affbcaf54362c", "path_pattern_hash": "93883cb09f4769a367badfafc907183e" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko\/2010", "method": "GET", "path": "\/release\/.env", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko\/20100722 Firefox\/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/release\/.env HTTP\/1.1", "request_sample": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko\/20100722 Firefox\/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko\/2010", "evidence": { "method": "GET", "path": "\/release\/.env", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko\/20100722 Firefox\/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/release\/.env HTTP\/1.1", "request_sample": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko\/20100722 Firefox\/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko\/2010", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a9f6b0d7c76679ec230b86af45d6206c8634af93", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /apps/backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /apps/backend/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /apps/backend/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /apps/backend/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /apps/backend/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "aa6f66c97c6dffae5063b48b19629a4e29eff310", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "5342af8e96c105cf859dad12eed2c40aaf87d35d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.417666968196759, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "b1f6dca26c2d7a3627ca1d3302d236afb7432b3a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b1d7636725f88ec7833fea3e1ddf37b2", "payload_hash": "bed49ee146f52e6570ea240beebb3785", "path_pattern_hash": "cfddbf55f677ac93c8dcc5d08054758b" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/apps\/backend\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.132 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/apps\/backend\/.env HTTP\/1.1", "request_sample": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.132 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/apps\/backend\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.132 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/apps\/backend\/.env HTTP\/1.1", "request_sample": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.132 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93d1a8458f31a0bc5ea386b0b30edd22b7c2b7af", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /services/backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /services/backend/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/backend/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build/R1FA016) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /services/backend/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10 Requête brute (extrait) GET /services/backend/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build/R1FA016) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Accept-Charset: utf-8 Accept-Enco Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "8722e02703dc1bbf95cbc71c136b8a1b4f99dd1c", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "bff52174bd71304ed2bfcd7637238e2def0caff3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 289, "payload_entropy": 5.366308582146715, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "bc62543cab4b583ed4f7ad6f65dbaeda80020f03", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2cc5e979b4aa5d7571892cda12c371fb", "payload_hash": "0ff806fd8e49ac7e338be0d62880e4dd", "path_pattern_hash": "5b9b007f982aa0909ed1fcbe7f087982" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10", "method": "GET", "path": "\/services\/backend\/.env", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build\/R1FA016) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/backend\/.env HTTP\/1.1", "request_sample": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build\/R1FA016) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Enco", "payload_snippet": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10", "evidence": { "method": "GET", "path": "\/services\/backend\/.env", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build\/R1FA016) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/backend\/.env HTTP\/1.1", "request_sample": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build\/R1FA016) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Enco", "payload_snippet": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "84ba0f1a518728742c6f159e8d6f56dc09ab3c6c", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 34 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /var/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /var/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « sqli-21 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /var/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; MHA-AL00 Build/HUAWEIMHA-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.99 Mobile Safari/537.36 MMWEBID/9772 MicroMessenger/7.0.6.1460(0x… Règles WAF sqli-21 rce-0 nosqli-3 leak-1 Payload (extrait) GET /var/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; MHA-AL00 Build/HUAWEIMHA-AL00; wv) Apple Requête brute (extrait) GET /var/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; MHA-AL00 Build/HUAWEIMHA-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.99 Mobile Safari/537.36 MMWEBID/9772 MicroMessenger/7.0.6.1460(0x Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "382082862504cc1df3e537e83c0e227b9efa1d31", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "7f1fb2a1c5b72e520b988cd8c8a970a6662732b5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 376, "payload_entropy": 5.5671073891452805, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "b2b95d806958f29ceb71c2509682cfec6ffc319a", "event_fingerprint": "7325baf3b99dda575ccedd5b3fee96e7ae297a30", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9ab8a72c6c440df7560e9bf2f63a0869", "payload_hash": "cece8b5592d362f22419514fe9c6aca9", "path_pattern_hash": "0d0f9087dce4407a1a8d5052b0a9d1bf" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) Apple", "method": "GET", "path": "\/var\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.99 Mobile Safari\/537.36 MMWEBID\/9772 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/var\/.env HTTP\/1.1", "request_sample": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.99 Mobile Safari\/537.36 MMWEBID\/9772 MicroMessenger\/7.0.6.1460(0x", "payload_snippet": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) Apple", "evidence": { "method": "GET", "path": "\/var\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.99 Mobile Safari\/537.36 MMWEBID\/9772 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/var\/.env HTTP\/1.1", "request_sample": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.99 Mobile Safari\/537.36 MMWEBID\/9772 MicroMessenger\/7.0.6.1460(0x", "payload_snippet": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) Apple", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "77fd2bcc3c04fafb152040e259bd98ea08783362", "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /apps/frontend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /apps/frontend/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /apps/frontend/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /apps/frontend/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit/537. Requête brute (extrait) GET /apps/frontend/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "ebc73af3add799930ae225046d32f774512e7d41", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "ba0ce57a366071a1ca1afd15a1a01a04ccdd2335", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.400601270412335, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "8ce0e34aa4d811adf8f1d883c845bb3266694ffd", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f175d57f2470206520eeed314e839c11", "payload_hash": "77ef7bf6a62bfbeb4c740041c285defd", "path_pattern_hash": "a541762358ad3d2463e9e9180528a6a3" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.", "method": "GET", "path": "\/apps\/frontend\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/apps\/frontend\/.env HTTP\/1.1", "request_sample": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/apps\/frontend\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/apps\/frontend\/.env HTTP\/1.1", "request_sample": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5241010f6d6b6a2d3555dc8325ad9cf757434b", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /packages/api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /packages/api/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /packages/api/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.105 Safari/537.36 Vivaldi/1.0.162.9 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /packages/api/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/53 Requête brute (extrait) GET /packages/api/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.105 Safari/537.36 Vivaldi/1.0.162.9 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "a487d7eac58407d3bf61b32150c8aa462b882af0", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "fd8fe30f25c6601a86628e4b53931f0feb977f1a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.416828624720948, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "2e2843c52caf33eeb3c1350b944b0cf8c7ffd145", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bb43396557b49ad0987ffb6d86e33e58", "payload_hash": "33f27b260ab51fe4395e9b7e706690f2", "path_pattern_hash": "226ad246bf9a22935f1389885ad08c73" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/53", "method": "GET", "path": "\/packages\/api\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2272.105 Safari\/537.36 Vivaldi\/1.0.162.9", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/packages\/api\/.env HTTP\/1.1", "request_sample": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2272.105 Safari\/537.36 Vivaldi\/1.0.162.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/packages\/api\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2272.105 Safari\/537.36 Vivaldi\/1.0.162.9", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/packages\/api\/.env HTTP\/1.1", "request_sample": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2272.105 Safari\/537.36 Vivaldi\/1.0.162.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/53", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e6d9dd304b729231e15c7e5e91cd69414c489fad", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /services/auth/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /services/auth/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/auth/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /services/auth/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit/537 Requête brute (extrait) GET /services/auth/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "86434e2afa9c73762497b5d8dbd0dbe8e2d1907c", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "09b20d19aa313f464eacd68829b3fab12fccb496", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.4499457986380095, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "6844e764b39e2a1d1d33b6f3e55435c21d52ad8c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "87c6b603238d5d80bc8ac3d63fb5d368", "payload_hash": "a7325f44bd9a630df4846749ec1b9f3e", "path_pattern_hash": "465b6d455db6ce12c0bb2d49f4cfba7e" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537", "method": "GET", "path": "\/services\/auth\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/auth\/.env HTTP\/1.1", "request_sample": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/services\/auth\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/auth\/.env HTTP\/1.1", "request_sample": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d3be3a1654c1c913051cb0bfca425259913c8be9", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /apps/api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /apps/api/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /apps/api/.env HTTP/1.1` User-Agent Opera/10.61 (J2ME/MIDP; Opera Mini/5.1.21219/19.999; en-US; rv:1.9.3a5) WebKit/534.5 Presto/2.6.30 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /apps/api/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Opera/10.61 (J2ME/MIDP; Opera Mini/5.1.21219/19.999; en-US; rv:1.9 Requête brute (extrait) GET /apps/api/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Opera/10.61 (J2ME/MIDP; Opera Mini/5.1.21219/19.999; en-US; rv:1.9.3a5) WebKit/534.5 Presto/2.6.30 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "ddaaa4d14465f7d0d65302a5494c28551c97f739", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "e63b41d5687406ee7f40926b7271357b1c46aaae", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 229, "payload_entropy": 5.296155640009988, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "7d09bcea6bce8b2d42c22b0e6211094115065b05", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e705331c7d7de58b19728507120295bd", "payload_hash": "2ff83358651ba9486fc8e356b6de0fd2", "path_pattern_hash": "ab70800db05dbfe0190629bc711f2fa2" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Opera\/10.61 (J2ME\/MIDP; Opera Mini\/5.1.21219\/19.999; en-US; rv:1.9", "method": "GET", "path": "\/apps\/api\/.env", "user_agent": "Opera\/10.61 (J2ME\/MIDP; Opera Mini\/5.1.21219\/19.999; en-US; rv:1.9.3a5) WebKit\/534.5 Presto\/2.6.30", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/apps\/api\/.env HTTP\/1.1", "request_sample": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Opera\/10.61 (J2ME\/MIDP; Opera Mini\/5.1.21219\/19.999; en-US; rv:1.9.3a5) WebKit\/534.5 Presto\/2.6.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Opera\/10.61 (J2ME\/MIDP; Opera Mini\/5.1.21219\/19.999; en-US; rv:1.9", "evidence": { "method": "GET", "path": "\/apps\/api\/.env", "user_agent": "Opera\/10.61 (J2ME\/MIDP; Opera Mini\/5.1.21219\/19.999; en-US; rv:1.9.3a5) WebKit\/534.5 Presto\/2.6.30", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/apps\/api\/.env HTTP\/1.1", "request_sample": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Opera\/10.61 (J2ME\/MIDP; Opera Mini\/5.1.21219\/19.999; en-US; rv:1.9.3a5) WebKit\/534.5 Presto\/2.6.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Opera\/10.61 (J2ME\/MIDP; Opera Mini\/5.1.21219\/19.999; en-US; rv:1.9", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "121e8993fabd36a2afc254ca865e17637ff95d90", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /temp/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /temp/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /temp/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /temp/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, l Requête brute (extrait) GET /temp/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "acd6daadb0e492422e8791617551c0a8b62d86d4", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "a617862b9702a5eb0473c44d9afaf4e0da55a075", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.405847265280864, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "bba740dfae2845d5945f996c80f4ac69835b36d0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d12e3960c3f2f800385ea8998b237a4d", "payload_hash": "f00785d7db83b9289726965b026cd7db", "path_pattern_hash": "75ee17153df3d0dbe793fbb0bd486a6b" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "method": "GET", "path": "\/temp\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/temp\/.env HTTP\/1.1", "request_sample": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "evidence": { "method": "GET", "path": "\/temp\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/temp\/.env HTTP\/1.1", "request_sample": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b0851eebf50191f5ebbca35382216a26c8d33e38", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /dashboard/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /dashboard/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /dashboard/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.1.1; 1713-A01) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /dashboard/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; 1713-A01) AppleWebKit/537.36 ( Requête brute (extrait) GET /dashboard/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; 1713-A01) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "6580fe77e9cc5651d2f828c1c386cbfa48305f84", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "a0df23adcbc250d22f3ea9c43cd45132cd7d119e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.3949241412925355, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "352a811f8a6535bfd0cd376a06b761386afa6028", "event_fingerprint": "7903f4f3573e6f34e9d935ef9b12727d82a7b23c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e9948857d4e729b43c3960ff31f53a36", "payload_hash": "ae2a3608ca5473f751fb11f8d01e4194", "path_pattern_hash": "90b830636acb1be7da7ed46e94f3bb1d" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; 1713-A01) AppleWebKit\/537.36 (", "method": "GET", "path": "\/dashboard\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; 1713-A01) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/dashboard\/.env HTTP\/1.1", "request_sample": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; 1713-A01) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; 1713-A01) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/dashboard\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; 1713-A01) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/dashboard\/.env HTTP\/1.1", "request_sample": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; 1713-A01) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; 1713-A01) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dc793fa95a8890291915c198405180999600c856", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_traefik", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /cms/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /cms/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /cms/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3888.0 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /cms/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /cms/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3888.0 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "0bc7d4fba6de3d3a0681fd2a23d14c1ddfd5ae3b", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "83c0a8815eca606b22325f7ae33170918a4904ee", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 244, "payload_entropy": 5.39315086222111, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "9686d88c1ec65051f76787c8acbdd315c80b2c80", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "564e80cf41424e6ab91d25dadab32199", "payload_hash": "9a2520753935995422a92c4955256df1", "path_pattern_hash": "202848a338e2a8411edbe9c852ffc90f" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like", "method": "GET", "path": "\/cms\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3888.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/cms\/.env HTTP\/1.1", "request_sample": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3888.0 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/cms\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3888.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/cms\/.env HTTP\/1.1", "request_sample": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3888.0 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1b8e7bf51c2be787c4a5a8de37422ccd9ff7db2d", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /api/backend/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/backend/.env HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Mobile/15E148 Safari/604.1 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/backend/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_2 like Mac OS X) AppleW Requête brute (extrait) GET /api/backend/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Mobile/15E148 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Conn Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "3f88560a9223d3c8de180126a46e8db992050e3e", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "e525470447161ee4034567dbf14d4d4a54f52f46", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 273, "payload_entropy": 5.358624227725525, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 9, "anomaly_count": 0, "campaign_key": "e70ef21d8fc9810910cbcf7ee5fbe371b27b9c84", "event_fingerprint": "ec379a84a3e76fd6c5a2d45b9a75d7a6526645f7", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d2df56782df4047a36761171e1a95e0e", "payload_hash": "b7bf2acdb89bac30d8d1f36ef60b15a5", "path_pattern_hash": "ad852d1414999713ac2638aba79c8ff5" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_2 like Mac OS X) AppleW", "method": "GET", "path": "\/api\/backend\/.env", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/backend\/.env HTTP\/1.1", "request_sample": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_2 like Mac OS X) AppleW", "evidence": { "method": "GET", "path": "\/api\/backend\/.env", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/backend\/.env HTTP\/1.1", "request_sample": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_2 like Mac OS X) AppleW", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1959ac613ae1748c812969e6b2d967d37f374d0c", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 20 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /services/api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /services/api/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/api/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36 Règles WAF nosqli-3 leak-1 Payload (extrait) GET /services/api/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like G Requête brute (extrait) GET /services/api/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "b40f4fd7308d5cc182ef916248f34631df1c2acb", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "450e32f1680bf647be59805b14bbd52061e00349", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.353229476234311, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 88, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 6, "anomaly_count": 0, "campaign_key": "7213535e327b3b084d2ccf693979f8a77807d8f7", "event_fingerprint": "fdc9394a291101b2d6e1c3992252c2cc428ddf89", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "afc1115f286038abe5deded280c54ff4", "payload_hash": "ff41bf88e44db0fa0bd30fd45ad339e9", "path_pattern_hash": "9a476469205a3b7d9994ebc8d35d13e6" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like G", "method": "GET", "path": "\/services\/api\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/services\/api\/.env HTTP\/1.1", "request_sample": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like G", "evidence": { "method": "GET", "path": "\/services\/api\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/services\/api\/.env HTTP\/1.1", "request_sample": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like G", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b683bf32c53b29bb754e85e974b6e38f18fcd4c4", "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:47 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /portal/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /portal/.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /portal/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /portal/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit/537.36 (KH Requête brute (extrait) GET /portal/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "4a3b6638a5bd98d453927c56d6ef158b38f76f49", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "25e9d50bacd292841afcec6b93bcba6a1f6790d4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.4480469424459965, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "89fac2ab28969fbfe88f0e07d157d71a65b00c20", "event_fingerprint": "4b6617a99e8e28bd6d55a5659ed1fd35bb28ad94", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bf714196eb558876c98432af31c49c70", "payload_hash": "4c7824c9d6c9d86f40d75b6bf722d9f8", "path_pattern_hash": "8432e822d78216a6822b5a443dbf894c" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/portal\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/portal\/.env HTTP\/1.1", "request_sample": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/portal\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/portal\/.env HTTP\/1.1", "request_sample": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KH", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "72ae78778a10f50bc742e0f2ad114237682ee5ae", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��}\�Mu�d�R(A,&��q��+/�۫ �Z.� �=k�&��I�{ ۳t0��~�L&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��}\�Mu�d�R(A,&��q��+/�۫ �Z.� �=k�&��I�{ ۳t0��~�L&�+�/�,�0̨̩� �� /5� w �+3&$ t�أ͑�Y�h .7G�=��<A�p� �� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.815528021156659, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "a17ec909c6a885d03e709514d42bd1cc", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\\\u0015\ufffdM\u0002u\ufffdd\ufffd\u0000R\b\u001c(A,&\ufffd\ufffd\u000fq\ufffd\u001e\ufffd+\/\ufffd\u06eb\u0010 \ufffdZ.\ufffd\t\ufffd=\u0001k\ufffd&\ufffd\u000f\ufffdI\ufffd\u0018{\u001b \u06f3t0\ufffd\u0007\ufffd\ufffd~\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\\\u0015\ufffdM\u0002u\ufffdd\ufffd\u0000R\b\u001c(A,&\ufffd\ufffd\u000fq\ufffd\u001e\ufffd+\/\ufffd\u06eb\u0010 \ufffdZ.\ufffd\t\ufffd=\u0001k\ufffd&\ufffd\u000f\ufffdI\ufffd\u0018{\u001b \u06f3t0\ufffd\u0007\ufffd\ufffd~\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0015t\u0011\ufffd\u0623\u0351\ufffdY\ufffdh\n\u0016.7G\ufffd=\ufffd\ufffd\ufffd\ufffd<A\ufffdp\ufffd\f\ufffd\ufffd\u0007", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\\\u0015\ufffdM\u0002u\ufffdd\ufffd\u0000R\b\u001c(A,&\ufffd\ufffd\u000fq\ufffd\u001e\ufffd+\/\ufffd\u06eb\u0010 \ufffdZ.\ufffd\t\ufffd=\u0001k\ufffd&\ufffd\u000f\ufffdI\ufffd\u0018{\u001b \u06f3t0\ufffd\u0007\ufffd\ufffd~\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\\\u0015\ufffdM\u0002u\ufffdd\ufffd\u0000R\b\u001c(A,&\ufffd\ufffd\u000fq\ufffd\u001e\ufffd+\/\ufffd\u06eb\u0010 \ufffdZ.\ufffd\t\ufffd=\u0001k\ufffd&\ufffd\u000f\ufffdI\ufffd\u0018{\u001b \u06f3t0\ufffd\u0007\ufffd\ufffd~\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0015t\u0011\ufffd\u0623\u0351\ufffdY\ufffdh\n\u0016.7G\ufffd=\ufffd\ufffd\ufffd\ufffd<A\ufffdp\ufffd\f\ufffd\ufffd\u0007", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\\\u0015\ufffdM\u0002u\ufffdd\ufffd\u0000R\b\u001c(A,&\ufffd\ufffd\u000fq\ufffd\u001e\ufffd+\/\ufffd\u06eb\u0010 \ufffdZ.\ufffd\t\ufffd=\u0001k\ufffd&\ufffd\u000f\ufffdI\ufffd\u0018{\u001b \u06f3t0\ufffd\u0007\ufffd\ufffd~\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b3f11c8f9ea241fe23d39e28b48df052e26f42cd", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��aT�X9V��W9E+�y�Ԁ ��3��L <�5xP��9��AU��1�� Ҝb)�M�\&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��aT�X9V��W9E+�y�Ԁ ��3��L <�5xP��9��AU��1�� Ҝb)�M�\&�+�/�,�0̨̩� �� /5� w �+3&$ )� .4�Fhyјm'j3>V)L��I?r t�^ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.814404916580573, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "e693c453fce4e181ac11b6d784eced7f", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdaT\b\ufffdX9V\ufffd\ufffdW9\u0002E+\ufffdy\ufffd\u0500\u001d\n\ufffd\ufffd\ufffd3\u0004\ufffd\ufffd\ufffdL <\ufffd5xP\ufffd\u0011\ufffd9\ufffd\ufffd\ufffd\ufffd\ufffdAU\ufffd\ufffd1\ufffd\ufffd\n\ufffd\u049cb)\ufffdM\ufffd\\\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdaT\b\ufffdX9V\ufffd\ufffdW9\u0002E+\ufffdy\ufffd\u0500\u001d\n\ufffd\ufffd\ufffd3\u0004\ufffd\ufffd\ufffdL <\ufffd5xP\ufffd\u0011\ufffd9\ufffd\ufffd\ufffd\ufffd\ufffdAU\ufffd\ufffd1\ufffd\ufffd\n\ufffd\u049cb)\ufffdM\ufffd\\\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 )\ufffd\r.4\ufffdF\u0010hy\u0458m'j3>V)L\ufffd\ufffdI?r\nt\ufffd^", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdaT\b\ufffdX9V\ufffd\ufffdW9\u0002E+\ufffdy\ufffd\u0500\u001d\n\ufffd\ufffd\ufffd3\u0004\ufffd\ufffd\ufffdL <\ufffd5xP\ufffd\u0011\ufffd9\ufffd\ufffd\ufffd\ufffd\ufffdAU\ufffd\ufffd1\ufffd\ufffd\n\ufffd\u049cb)\ufffdM\ufffd\\\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdaT\b\ufffdX9V\ufffd\ufffdW9\u0002E+\ufffdy\ufffd\u0500\u001d\n\ufffd\ufffd\ufffd3\u0004\ufffd\ufffd\ufffdL <\ufffd5xP\ufffd\u0011\ufffd9\ufffd\ufffd\ufffd\ufffd\ufffdAU\ufffd\ufffd1\ufffd\ufffd\n\ufffd\u049cb)\ufffdM\ufffd\\\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 )\ufffd\r.4\ufffdF\u0010hy\u0458m'j3>V)L\ufffd\ufffdI?r\nt\ufffd^", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdaT\b\ufffdX9V\ufffd\ufffdW9\u0002E+\ufffdy\ufffd\u0500\u001d\n\ufffd\ufffd\ufffd3\u0004\ufffd\ufffd\ufffdL <\ufffd5xP\ufffd\u0011\ufffd9\ufffd\ufffd\ufffd\ufffd\ufffdAU\ufffd\ufffd1\ufffd\ufffd\n\ufffd\u049cb)\ufffdM\ufffd\\\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4361d7a56fdff46de5f31ae2579164b9b91420f2", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��2��<�&�c�Z��"��JS��R��R�� n�i�M��-ڠ>8O�:�s?�)�>e��nrǩ�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��2��<� &�c�Z��"��JS��R��R�� n�i�M��-ڠ>8O�:� s?�)�>e��nrǩ�&�+�/�,�0̨̩� �� /5� w �+3&$ ��s��6�)�=5�Di��]��`ۘ* n Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.886063182500617, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "9c5edb4ab2076c8b78f3b9da39db7090", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\f&\ufffdc\ufffdZ\ufffd\ufffd\ufffd\"\ufffd\ufffd\u0014JS\ufffd\ufffdR\ufffd\ufffdR\ufffd\u0017\ufffd n\ufffdi\ufffdM\ufffd\ufffd-\u06a0>8O\ufffd:\ufffd\fs?\ufffd)\ufffd>e\ufffd\ufffdnr\u01e9\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\f&\ufffdc\ufffdZ\ufffd\ufffd\ufffd\"\ufffd\ufffd\u0014JS\ufffd\ufffdR\ufffd\ufffdR\ufffd\u0017\ufffd n\ufffdi\ufffdM\ufffd\ufffd-\u06a0>8O\ufffd:\ufffd\fs?\ufffd)\ufffd>e\ufffd\ufffdnr\u01e9\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffds\ufffd\ufffd6\ufffd)\ufffd=5\ufffd\u001dDi\ufffd\ufffd\ufffd\ufffd]\ufffd\ufffd`\u06d8\rn\r", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\f&\ufffdc\ufffdZ\ufffd\ufffd\ufffd\"\ufffd\ufffd\u0014JS\ufffd\ufffdR\ufffd\ufffdR\ufffd\u0017\ufffd n\ufffdi\ufffdM\ufffd\ufffd-\u06a0>8O\ufffd:\ufffd\fs?\ufffd)\ufffd>e\ufffd\ufffdnr\u01e9\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\f&\ufffdc\ufffdZ\ufffd\ufffd\ufffd\"\ufffd\ufffd\u0014JS\ufffd\ufffdR\ufffd\ufffdR\ufffd\u0017\ufffd n\ufffdi\ufffdM\ufffd\ufffd-\u06a0>8O\ufffd:\ufffd\fs?\ufffd)\ufffd>e\ufffd\ufffdnr\u01e9\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffds\ufffd\ufffd6\ufffd)\ufffd=5\ufffd\u001dDi\ufffd\ufffd\ufffd\ufffd]\ufffd\ufffd`\u06d8\rn\r", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\f&\ufffdc\ufffdZ\ufffd\ufffd\ufffd\"\ufffd\ufffd\u0014JS\ufffd\ufffdR\ufffd\ufffdR\ufffd\u0017\ufffd n\ufffdi\ufffdM\ufffd\ufffd-\u06a0>8O\ufffd:\ufffd\fs?\ufffd)\ufffd>e\ufffd\ufffdnr\u01e9\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d08d2f5d45125d8c5429c1c65a46b5a83d648380", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��HHm�,�]񪝴R�F�+��}�� &�V=�{�e� �O��rOh=Н�D���Q&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��HHm�,�]񪝴R�F�+��}�� &�V= �{�e� �O��rOh=Н�D���Q&�+�/�,�0̨̩� �� /5� w �+3&$ ��J�M�pZ�ٺ��j�4>-�O Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.862459321039847, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "7f302f061d325e24d963caa0c23dbd1a", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003HHm\ufffd\u001e,\ufffd]\ud969\udf74R\ufffdF\ufffd+\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffd\ufffd\u0001\ufffd\ufffd\r \u001a\u000f\ufffd&\ufffdV=\f\ufffd{\ufffde\ufffd \ufffdO\ufffd\ufffdrOh=\u041d\ufffdD\ufffd\ufffd\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003HHm\ufffd\u001e,\ufffd]\ud969\udf74R\ufffdF\ufffd+\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffd\ufffd\u0001\ufffd\ufffd\r \u001a\u000f\ufffd&\ufffdV=\f\ufffd{\ufffde\ufffd \ufffdO\ufffd\ufffdrOh=\u041d\ufffdD\ufffd\ufffd\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001a\ufffd\ufffd\u001e\ufffdJ\ufffdM\ufffdp\u001cZ\ufffd\u067a\ufffd\ufffd\ufffd\ufffd\u000f\ufffd\ufffd\ufffdj\u0007\ufffd4>-\ufffdO", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003HHm\ufffd\u001e,\ufffd]\ud969\udf74R\ufffdF\ufffd+\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffd\ufffd\u0001\ufffd\ufffd\r \u001a\u000f\ufffd&\ufffdV=\f\ufffd{\ufffde\ufffd \ufffdO\ufffd\ufffdrOh=\u041d\ufffdD\ufffd\ufffd\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003HHm\ufffd\u001e,\ufffd]\ud969\udf74R\ufffdF\ufffd+\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffd\ufffd\u0001\ufffd\ufffd\r \u001a\u000f\ufffd&\ufffdV=\f\ufffd{\ufffde\ufffd \ufffdO\ufffd\ufffdrOh=\u041d\ufffdD\ufffd\ufffd\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001a\ufffd\ufffd\u001e\ufffdJ\ufffdM\ufffdp\u001cZ\ufffd\u067a\ufffd\ufffd\ufffd\ufffd\u000f\ufffd\ufffd\ufffdj\u0007\ufffd4>-\ufffdO", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003HHm\ufffd\u001e,\ufffd]\ud969\udf74R\ufffdF\ufffd+\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffd\ufffd\u0001\ufffd\ufffd\r \u001a\u000f\ufffd&\ufffdV=\f\ufffd{\ufffde\ufffd \ufffdO\ufffd\ufffdrOh=\u041d\ufffdD\ufffd\ufffd\ufffd*Q\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f770101355081d01d1c7f320372b8351c8901ef3", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��j,2Vz�{��0�\'�!�06��Ѵ%Gg� zjՁ�C��]�t�U�]��E�M J��Q &�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��j,2Vz�{��0�\'�!�06��Ѵ%Gg� zjՁ�C��]�t�U�]��E�M J��Q &�+�/�,�0̨̩� �� /5� w �+3&$ �;&v\� �NX։U��M��>��4 Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.803664318758484, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "ddd6b8f13ff381fd449536e013743c2b", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdj,2Vz\ufffd{\ufffd\ufffd\ufffd0\ufffd\\'\ufffd!\ufffd06\ufffd\ufffd\ufffd\u0474%Gg\ufffd zj\u0541\ufffdC\ufffd\ufffd]\ufffdt\ufffdU\ufffd]\ufffd\ufffdE\ufffdM\u001a\u001b\tJ\ufffd\ufffd\ufffd\ufffdQ\u0007\n\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdj,2Vz\ufffd{\ufffd\ufffd\ufffd0\ufffd\\'\ufffd!\ufffd06\ufffd\ufffd\ufffd\u0474%Gg\ufffd zj\u0541\ufffdC\ufffd\ufffd]\ufffdt\ufffdU\ufffd]\ufffd\ufffdE\ufffdM\u001a\u001b\tJ\ufffd\ufffd\ufffd\ufffdQ\u0007\n\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0001\ufffd;&v\u001c\\\u0007\ufffd\u000b\ufffd\u0001NX\u0589\u0018\u0016U\ufffd\ufffd\ufffdM\ufffd\ufffd\u0017\ufffd\u0007>\ufffd\ufffd4", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdj,2Vz\ufffd{\ufffd\ufffd\ufffd0\ufffd\\'\ufffd!\ufffd06\ufffd\ufffd\ufffd\u0474%Gg\ufffd zj\u0541\ufffdC\ufffd\ufffd]\ufffdt\ufffdU\ufffd]\ufffd\ufffdE\ufffdM\u001a\u001b\tJ\ufffd\ufffd\ufffd\ufffdQ\u0007\n\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdj,2Vz\ufffd{\ufffd\ufffd\ufffd0\ufffd\\'\ufffd!\ufffd06\ufffd\ufffd\ufffd\u0474%Gg\ufffd zj\u0541\ufffdC\ufffd\ufffd]\ufffdt\ufffdU\ufffd]\ufffd\ufffdE\ufffdM\u001a\u001b\tJ\ufffd\ufffd\ufffd\ufffdQ\u0007\n\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0001\ufffd;&v\u001c\\\u0007\ufffd\u000b\ufffd\u0001NX\u0589\u0018\u0016U\ufffd\ufffd\ufffdM\ufffd\ufffd\u0017\ufffd\u0007>\ufffd\ufffd4", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdj,2Vz\ufffd{\ufffd\ufffd\ufffd0\ufffd\\'\ufffd!\ufffd06\ufffd\ufffd\ufffd\u0474%Gg\ufffd zj\u0541\ufffdC\ufffd\ufffd]\ufffdt\ufffdU\ufffd]\ufffd\ufffdE\ufffdM\u001a\u001b\tJ\ufffd\ufffd\ufffd\ufffdQ\u0007\n\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5abba0d2b2aa36a6ed60262215e7724df073e703", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��6�g��&e&��^#y��)C�ү� ��8N߭�?gg6tbn��Ȑ��mI�tIH&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��6�g��&e&��^#y��)C�ү� ��8N߭�?gg6tbn��Ȑ��mI�tIH&�+�/�,�0̨̩� �� /5� w �+3&$ �GBMC�2��v�f��u�F�q1�a ��N�( Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.895538757841587, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "4088bdb918ba550540d3dadc57b821ee", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffdg\ufffd\ufffd\u001e\ufffd\ufffd&\u0010e&\u0010\ufffd\ufffd\ufffd^#y\ufffd\ufffd\ufffd\ufffd\ufffd)C\ufffd\u04af\ufffd \ufffd\ufffd8N\u07ed\ufffd?gg6t\u0004\u0002bn\ufffd\ufffd\u0210\ufffd\ufffd\ufffdmI\ufffdtIH\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffdg\ufffd\ufffd\u001e\ufffd\ufffd&\u0010e&\u0010\ufffd\ufffd\ufffd^#y\ufffd\ufffd\ufffd\ufffd\ufffd)C\ufffd\u04af\ufffd \ufffd\ufffd8N\u07ed\ufffd?gg6t\u0004\u0002bn\ufffd\ufffd\u0210\ufffd\ufffd\ufffdmI\ufffdtIH\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdGBMC\ufffd2\u0011\ufffd\ufffd\ufffdv\ufffdf\ufffd\ufffdu\ufffdF\ufffdq1\ufffda\f\ufffd\ufffd\ufffdN\ufffd(", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffdg\ufffd\ufffd\u001e\ufffd\ufffd&\u0010e&\u0010\ufffd\ufffd\ufffd^#y\ufffd\ufffd\ufffd\ufffd\ufffd)C\ufffd\u04af\ufffd \ufffd\ufffd8N\u07ed\ufffd?gg6t\u0004\u0002bn\ufffd\ufffd\u0210\ufffd\ufffd\ufffdmI\ufffdtIH\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffdg\ufffd\ufffd\u001e\ufffd\ufffd&\u0010e&\u0010\ufffd\ufffd\ufffd^#y\ufffd\ufffd\ufffd\ufffd\ufffd)C\ufffd\u04af\ufffd \ufffd\ufffd8N\u07ed\ufffd?gg6t\u0004\u0002bn\ufffd\ufffd\u0210\ufffd\ufffd\ufffdmI\ufffdtIH\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdGBMC\ufffd2\u0011\ufffd\ufffd\ufffdv\ufffdf\ufffd\ufffdu\ufffdF\ufffdq1\ufffda\f\ufffd\ufffd\ufffdN\ufffd(", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffdg\ufffd\ufffd\u001e\ufffd\ufffd&\u0010e&\u0010\ufffd\ufffd\ufffd^#y\ufffd\ufffd\ufffd\ufffd\ufffd)C\ufffd\u04af\ufffd \ufffd\ufffd8N\u07ed\ufffd?gg6t\u0004\u0002bn\ufffd\ufffd\u0210\ufffd\ufffd\ufffdmI\ufffdtIH\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "39a01e1fa854ed0637f10b9488919283e24e8889", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Fpˀ��;�1#�К+��v��C!u�瑀� [��uT/E�ܙ�g��y�-o�5�W�"��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Fpˀ��;�1#�К+��v��C!u�瑀� [��uT/E�ܙ�g��y�-o�5�W�"��&�+�/�,�0̨̩� �� /5� w �+3&$ s��1��kID�~��4�}Uq��N Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.849922287238863, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "08fe25cd2cece9d4cfd2a41d378719dc", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Fp\u02c0\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd1#\ufffd\u041a+\ufffd\u0012\ufffdv\ufffd\ufffdC!u\ufffd\u7440\ufffd \u0016[\u001d\ufffd\ufffd\ufffd\ufffd\ufffduT\/E\ufffd\u0719\ufffdg\ufffd\ufffdy\ufffd\u001e-o\ufffd5\ufffdW\ufffd\"\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Fp\u02c0\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd1#\ufffd\u041a+\ufffd\u0012\ufffdv\ufffd\ufffdC!u\ufffd\u7440\ufffd \u0016[\u001d\ufffd\ufffd\ufffd\ufffd\ufffduT\/E\ufffd\u0719\ufffdg\ufffd\ufffdy\ufffd\u001e-o\ufffd5\ufffdW\ufffd\"\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 s\u0011\ufffd\u0017\ufffd1\ufffd\u0002\ufffd\u0000\ufffdkID\ufffd~\ufffd\ufffd\u000e\ufffd4\ufffd}\u0004\u0003Uq\ufffd\ufffdN", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Fp\u02c0\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd1#\ufffd\u041a+\ufffd\u0012\ufffdv\ufffd\ufffdC!u\ufffd\u7440\ufffd \u0016[\u001d\ufffd\ufffd\ufffd\ufffd\ufffduT\/E\ufffd\u0719\ufffdg\ufffd\ufffdy\ufffd\u001e-o\ufffd5\ufffdW\ufffd\"\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Fp\u02c0\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd1#\ufffd\u041a+\ufffd\u0012\ufffdv\ufffd\ufffdC!u\ufffd\u7440\ufffd \u0016[\u001d\ufffd\ufffd\ufffd\ufffd\ufffduT\/E\ufffd\u0719\ufffdg\ufffd\ufffdy\ufffd\u001e-o\ufffd5\ufffdW\ufffd\"\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 s\u0011\ufffd\u0017\ufffd1\ufffd\u0002\ufffd\u0000\ufffdkID\ufffd~\ufffd\ufffd\u000e\ufffd4\ufffd}\u0004*\u0003Uq\ufffd\ufffdN", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Fp\u02c0\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd1#\ufffd\u041a+\ufffd\u0012\ufffdv\ufffd\ufffdC!u\ufffd\u7440\ufffd \u0016[\u001d\ufffd\ufffd\ufffd\ufffd\ufffduT\/E\ufffd\u0719\ufffdg\ufffd\ufffdy\ufffd\u001e-o\ufffd5\ufffdW\ufffd\"\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6adb6a1ea4c4f0b775eea1be82f7e01affa38a8f", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��T��F�JhS��8�V��V� @�Wo��õ��-�˘�~n��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��T��F�JhS ��8�V��V� @�Wo��õ��-�˘�~n��&�+�/�,�0̨̩� �� /5� w �+3&$ ܵF�[8}�o��<��\�Ϭ�X��, Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.724047959276433, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "157ba12500f196c6451925d82ba0fb67", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdT\u001b\ufffd\ufffd\u0003F\u0018\ufffdJhS\u000b\ufffd\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\ufffd8\ufffdV\ufffd\u001f\ufffd\u0006\ufffd\ufffdV\ufffd @\ufffdWo\ufffd\ufffd\u001c\ufffd\ufffd\ufffd\ufffd\ufffd\u00f5\b\ufffd\ufffd\ufffd-\u000e\ufffd\u000f\u001b\u02d8\b\ufffd~n\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdT\u001b\ufffd\ufffd\u0003F\u0018\ufffdJhS\u000b\ufffd\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\ufffd8\ufffdV\ufffd\u001f\ufffd\u0006\ufffd\ufffdV\ufffd @\ufffdWo\ufffd\ufffd\u001c\ufffd\ufffd\ufffd\ufffd\ufffd\u00f5\b\ufffd\ufffd\ufffd-\u000e\ufffd\u000f\u001b\u02d8\b\ufffd~n\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0735F\ufffd[8}\ufffd\u0006o\b\u0001\u0018\ufffd\u001c\ufffd<\ufffd\ufffd\ufffd\u001f\ufffd\\\ufffd\u03ec\ufffd\u001dX\ufffd\ufffd,", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdT\u001b\ufffd\ufffd\u0003F\u0018\ufffdJhS\u000b\ufffd\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\ufffd8\ufffdV\ufffd\u001f\ufffd\u0006\ufffd\ufffdV\ufffd @\ufffdWo\ufffd\ufffd\u001c\ufffd\ufffd\ufffd\ufffd\ufffd\u00f5\b\ufffd\ufffd\ufffd-\u000e\ufffd\u000f\u001b\u02d8\b\ufffd~n\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdT\u001b\ufffd\ufffd\u0003F\u0018\ufffdJhS\u000b\ufffd\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\ufffd8\ufffdV\ufffd\u001f\ufffd\u0006\ufffd\ufffdV\ufffd @\ufffdWo\ufffd\ufffd\u001c\ufffd\ufffd\ufffd\ufffd\ufffd\u00f5\b\ufffd\ufffd\ufffd-\u000e\ufffd\u000f\u001b\u02d8\b\ufffd~n\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0735F\ufffd[8}\ufffd\u0006o\b\u0001\u0018\ufffd\u001c\ufffd<\ufffd\ufffd\ufffd\u001f\ufffd\\\ufffd\u03ec\ufffd\u001dX\ufffd\ufffd,", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdT\u001b\ufffd\ufffd\u0003F\u0018\ufffdJhS\u000b\ufffd\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\ufffd8\ufffdV\ufffd\u001f\ufffd\u0006\ufffd\ufffdV\ufffd @\ufffdWo\ufffd\ufffd\u001c\ufffd\ufffd\ufffd\ufffd\ufffd\u00f5\b\ufffd\ufffd\ufffd-\u000e\ufffd\u000f\u001b\u02d8\b\ufffd~n\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e6391caa0c0f87e8660b3deeaf4b5fc35892f296", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��o�o��d�+̸�^:�[�]� � 8��CD ��{��ع2�m�1 :��8�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��o�o��d�+̸�^:�[�]� � 8��CD ��{��ع2�m�1 :��8�&�+�/�,�0̨̩� �� /5� w �+3&$ 3<��˺@�vQ�":t�A�,w�ї� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.723098473366459, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "bfa0e7f0b534f99a221923883a61e94a", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdo\ufffdo\ufffd\ufffdd\u001b\ufffd+\u0019\u0338\ufffd^\u000f:\ufffd[\ufffd]\ufffd\n\t\ufffd\t8\ufffd\ufffd\ufffdCD \ufffd\u0018\ufffd\ufffd\u0003\ufffd\ufffd\u0016\u0014\ufffd\u0014{\ufffd\ufffd\b\ufffd\ufffd\u06392\ufffdm\ufffd1\t:\u0016\ufffd\ufffd8\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdo\ufffdo\ufffd\ufffdd\u001b\ufffd+\u0019\u0338\ufffd^\u000f:\ufffd[\ufffd]\ufffd\n\t\ufffd\t8\ufffd\ufffd\ufffdCD \ufffd\u0018\ufffd\ufffd\u0003\ufffd\ufffd\u0016\u0014\ufffd\u0014{\ufffd\ufffd\b\ufffd\ufffd\u06392\ufffdm\ufffd1\t:\u0016\ufffd\ufffd8\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \b3<\ufffd\ufffd\u0016\ufffd\ufffd\u02fa@\ufffdvQ\u0001\ufffd\":t\ufffdA\ufffd,w\ufffd\u0457\ufffd\u001a\u000e", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdo\ufffdo\ufffd\ufffdd\u001b\ufffd+\u0019\u0338\ufffd^\u000f:\ufffd[\ufffd]\ufffd\n\t\ufffd\t8\ufffd\ufffd\ufffdCD \ufffd\u0018\ufffd\ufffd\u0003\ufffd\ufffd\u0016\u0014\ufffd\u0014{\ufffd\ufffd\b\ufffd\ufffd\u06392\ufffdm\ufffd1\t:\u0016\ufffd\ufffd8\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdo\ufffdo\ufffd\ufffdd\u001b\ufffd+\u0019\u0338\ufffd^\u000f:\ufffd[\ufffd]\ufffd\n\t\ufffd\t8\ufffd\ufffd\ufffdCD \ufffd\u0018\ufffd\ufffd\u0003\ufffd\ufffd\u0016\u0014\ufffd\u0014{\ufffd\ufffd\b\ufffd\ufffd\u06392\ufffdm\ufffd1\t:\u0016\ufffd\ufffd8\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \b3<\ufffd\ufffd\u0016\ufffd\ufffd\u02fa@\ufffdvQ\u0001\ufffd\":t\ufffdA\ufffd,w\ufffd\u0457\ufffd\u001a\u000e", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdo\ufffdo\ufffd\ufffdd\u001b\ufffd+\u0019\u0338\ufffd^\u000f:\ufffd[\ufffd]\ufffd\n\t\ufffd\t8\ufffd\ufffd\ufffdCD \ufffd\u0018\ufffd\ufffd\u0003\ufffd\ufffd\u0016\u0014\ufffd\u0014{\ufffd\ufffd\b\ufffd\ufffd\u06392\ufffdm\ufffd1\t:\u0016\ufffd\ufffd8\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dcc183e3a04430f028f825881a6092ca3f22b4e1", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Q��?K� 5 ��m8�j;[��\��b��2� �_X��\�G��X�<��63c��\|��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Q��?K� 5 ��m8�j;[��\��b��2� �_X��\�G��X�<��63c��\|��&�+�/�,�0̨̩� �� /5� w �+3&$ ��1��ޙF 5��l~��vL>wܶ�0I Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.887316723966437, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "0688d46f722e113b1a377d761662482c", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q\ufffd\ufffd?K\ufffd\r5\t \ufffd\ufffd\ufffdm8\ufffdj;[\u0014\ufffd\ufffd\\\ufffd\ufffd\ufffdb\ufffd\ufffd2\ufffd \ufffd_X\ufffd\ufffd\\\ufffdG\u001b\ufffd\ufffdX\ufffd<\ufffd\u000f\ufffd\u0006\ufffd\ufffd\ufffd\b63c\ufffd\ufffd\|\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q\ufffd\ufffd?K\ufffd\r5\t \ufffd\ufffd\ufffdm8\ufffdj;[\u0014\ufffd\ufffd\\\ufffd\ufffd\ufffdb\ufffd\ufffd2\ufffd \ufffd_X\ufffd\ufffd\\\ufffdG\u001b\ufffd\ufffdX\ufffd<\ufffd\u000f\ufffd\u0006\ufffd\ufffd\ufffd\b63c\ufffd\ufffd\|\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd1\ufffd\ufffd\ufffd\ufffd\u0799F\f5\ufffd\ufffd\ufffd\u0014l~\ufffd\ufffd\ufffd\ufffd\ufffdvL>w\u0736\ufffd0I", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q\ufffd\ufffd?K\ufffd\r5\t \ufffd\ufffd\ufffdm8\ufffdj;[\u0014\ufffd\ufffd\\\ufffd\ufffd\ufffdb\ufffd\ufffd2\ufffd \ufffd_X\ufffd\ufffd\\\ufffdG\u001b\ufffd\ufffdX\ufffd<\ufffd\u000f\ufffd\u0006\ufffd\ufffd\ufffd\b63c\ufffd\ufffd\|\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q\ufffd\ufffd?K\ufffd\r5\t \ufffd\ufffd\ufffdm8\ufffdj;[\u0014\ufffd\ufffd\\\ufffd\ufffd\ufffdb\ufffd\ufffd2\ufffd \ufffd_X\ufffd\ufffd\\\ufffdG\u001b\ufffd\ufffdX\ufffd<\ufffd\u000f\ufffd\u0006\ufffd\ufffd\ufffd\b63c\ufffd\ufffd\|\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd1\ufffd\ufffd\ufffd\ufffd\u0799F\f5\ufffd\ufffd\ufffd\u0014l~\ufffd\ufffd\ufffd\ufffd\ufffdvL>w\u0736\ufffd0I", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q\ufffd\ufffd?K\ufffd\r5\t \ufffd\ufffd\ufffdm8\ufffdj;[\u0014\ufffd\ufffd\\\ufffd\ufffd\ufffdb\ufffd\ufffd2\ufffd \ufffd_X\ufffd\ufffd\\\ufffdG\u001b\ufffd\ufffdX\ufffd<\ufffd\u000f\ufffd\u0006\ufffd\ufffd\ufffd\b63c\ufffd\ufffd\|\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3b34552dc7de29e67e9266446015e692e8487741", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/534.15 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/534.15 Requête brute (extrait) GET /.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/534.15 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "env", "http_ua_hash": "e6a448a694fda4ff58870f1957c1be1ef254c6d3", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "9ee0d3f55b39072ba6bec6203d26e470be80afdc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.369998646843224, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "1ef768245b345a5e8cd3eeb6e1d77ec0a069cbf6", "event_fingerprint": "923b03ecbe6dc33ec434181b836057f12790b1fe", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6dabb5aa44875df608d39d1ccbba964e", "payload_hash": "774d7d5d17f76332dbf93459ffc649d1", "path_pattern_hash": "aef81e7735de8f42b73e111497498c8b" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit\/534.15", "method": "GET", "path": "\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit\/534.15 (KHTML, like Gecko) Version\/5.0.3 Safari\/533.19.4", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env HTTP\/1.1", "request_sample": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit\/534.15 (KHTML, like Gecko) Version\/5.0.3 Safari\/533.19.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit\/534.15", "evidence": { "method": "GET", "path": "\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit\/534.15 (KHTML, like Gecko) Version\/5.0.3 Safari\/533.19.4", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env HTTP\/1.1", "request_sample": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit\/534.15 (KHTML, like Gecko) Version\/5.0.3 Safari\/533.19.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit\/534.15", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8be8b4a00a8656f4c42cec8cc837f7d8ceb6060c", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_env", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.staging TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.staging Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.staging HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.42 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.staging HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /.env.staging HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.42 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "staging", "http_ua_hash": "8efed96616a2cd540ff7b00ab4030a2b5c6b73e6", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "b697ca05984d1bd61ac6a6cd96868703f3417431", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.406507911583319, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "1d2520029215bdd381d09414ff9d78c874237e58", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "81adbc34bf74b39952c774d8bee33cf6", "payload_hash": "f1872a731fbda6acf2a6ae931371341f", "path_pattern_hash": "273c68db2803cfd6e1d27200e5969039" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/.env.staging", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.staging HTTP\/1.1", "request_sample": "GET \/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/.env.staging", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.staging HTTP\/1.1", "request_sample": "GET \/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "941239cba7d5fb89366081e263180462a6e8a68c", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.example TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.example Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.example HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.example HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit/537.36 Requête brute (extrait) GET /.env.example HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "example", "http_ua_hash": "042aea374dea8d91a602a0e615549b479ed19ff2", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "080963ef62d711207d0e68706f04d0705ec4d7fa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.384888131582785, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "ec0abaa4061a67e5024faddc421ad4995d226235", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "00d61033796631745a230211c2789e70", "payload_hash": "d265e6711a072f7d6db286f09916c54d", "path_pattern_hash": "f8bf22cb3ab23601599be7f21fa00aee" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36", "method": "GET", "path": "\/.env.example", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.example HTTP\/1.1", "request_sample": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/.env.example", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.example HTTP\/1.1", "request_sample": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "97cc51218af2ce603ec5f532aad47810a8ad2b1a", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.prod Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.prod HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.prod HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Requête brute (extrait) GET /.env.prod HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "prod", "http_ua_hash": "4787c51e684e5df545394a73ee8b8ff4377c749d", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "dbae5bda5d181ccfbfc6b75e40a8edbe5f27e87d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 195, "payload_entropy": 5.242210770920314, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "468d8971f6835beeca991ac6ab6e099e543c5375", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c52e9e801d6598157433a6ed10251d3c", "payload_hash": "84e198b7041cc321d6e392e7264aef62", "path_pattern_hash": "d6acfe32219429bb20e7ee2ee79adb21" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\n", "method": "GET", "path": "\/.env.prod", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.prod HTTP\/1.1", "request_sample": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "evidence": { "method": "GET", "path": "\/.env.prod", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.prod HTTP\/1.1", "request_sample": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e48655c7525c70879331c619527dc68affa54fd", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.template TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.template Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.template HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.template HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /.env.template HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "template", "http_ua_hash": "31c6693e81c41576dff5e77d55507780d9f17c29", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "edccaea3bbb1eaacbff6973ad5f703ae60c1ddc1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 244, "payload_entropy": 5.395763248987777, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "721c2b0cd7f5fb5056f3d7ba3aee54abbabe4fc7", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e65c1f4c19c7a3c3cdcfef6a620b44eb", "payload_hash": "4002cd2bd56a3bb9f0a6da30be87dab6", "path_pattern_hash": "6f72c17e203141284a34bb73c6ef5765" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/.env.template", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.77 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.template HTTP\/1.1", "request_sample": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.77 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/.env.template", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.77 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.template HTTP\/1.1", "request_sample": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.77 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "548d730ae4d2b5fc973013785d39c0be8559f459", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.testing TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.testing Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.testing HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; moto e5 plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.testing HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; moto e5 plus) AppleWebKit/537.36 Requête brute (extrait) GET /.env.testing HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; moto e5 plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "testing", "http_ua_hash": "7c576cecf6b5adb4ba90ff81dfa87d1b2eb496a1", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "d6baaf9bbaea83adf628e2291f2046f316df3dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.346269609416762, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "2c0f3422107cd7394173558d7571251a496f55c8", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8c877f44b51be3e9a96b4f00bc24d343", "payload_hash": "188169fbcb78798ac9d072c06dcd521f", "path_pattern_hash": "93c3c1ea576f84843908e14f1e5f7a72" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus) AppleWebKit\/537.36", "method": "GET", "path": "\/.env.testing", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.testing HTTP\/1.1", "request_sample": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/.env.testing", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.testing HTTP\/1.1", "request_sample": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "543730fa2d89f8ccc752d421cbef594995541487", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.old Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.old HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko/20110123 (like Firefox/3.x) SeaMonkey/2.0.12 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.old HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko/2011 Requête brute (extrait) GET /.env.old HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko/20110123 (like Firefox/3.x) SeaMonkey/2.0.12 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "d65a5790a596e390349e2d5871748c622bac4bfa", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "5c6d2af3e13d17105c8f5fb6187fb5c332303b42", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.323087905660142, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "595840da1be29d2ca076649272f6970fd7608166", "event_fingerprint": "8b34b1e5586c95c0012e15eb34d7c8a5a1aaedd7", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58cada158fbee4758079abd698a832ea", "payload_hash": "4894fccbacf2fdcb173f54b2a8905fed", "path_pattern_hash": "3807eb1255fb0315f3ffbb94c31e25e0" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko\/2011", "method": "GET", "path": "\/.env.old", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko\/20110123 (like Firefox\/3.x) SeaMonkey\/2.0.12", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.old HTTP\/1.1", "request_sample": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko\/20110123 (like Firefox\/3.x) SeaMonkey\/2.0.12\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko\/2011", "evidence": { "method": "GET", "path": "\/.env.old", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko\/20110123 (like Firefox\/3.x) SeaMonkey\/2.0.12", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.old HTTP\/1.1", "request_sample": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko\/20110123 (like Firefox\/3.x) SeaMonkey\/2.0.12\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko\/2011", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b2dfef9ff7cbb7dea0bfba33e132017de3d86406", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_probe_env", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.development TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.development Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.development HTTP/1.1` User-Agent Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.development HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, Requête brute (extrait) GET /.env.development HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "development", "http_ua_hash": "8fcc658f794c6a3c52cc5f15368ff6f95e08a681", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "8a4e51701d196d7852353e13bcdd4450138c4d04", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.3546108521747255, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "08b36adf885c70a7a1349e763c603d8f6992935f", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b7e703a0bfad46dc961769f3170e5489", "payload_hash": "b889e8566a0750abff9da2bea224ba96", "path_pattern_hash": "c0c440edf0616e70222e5cd82887a202" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (webOS\/1.3; U; en-US) AppleWebKit\/525.27.1 (KHTML, ", "method": "GET", "path": "\/.env.development", "user_agent": "Mozilla\/5.0 (webOS\/1.3; U; en-US) AppleWebKit\/525.27.1 (KHTML, like Gecko) Version\/1.0 Safari\/525.27.1 Desktop\/1.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.development HTTP\/1.1", "request_sample": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (webOS\/1.3; U; en-US) AppleWebKit\/525.27.1 (KHTML, like Gecko) Version\/1.0 Safari\/525.27.1 Desktop\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (webOS\/1.3; U; en-US) AppleWebKit\/525.27.1 (KHTML,", "evidence": { "method": "GET", "path": "\/.env.development", "user_agent": "Mozilla\/5.0 (webOS\/1.3; U; en-US) AppleWebKit\/525.27.1 (KHTML, like Gecko) Version\/1.0 Safari\/525.27.1 Desktop\/1.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.development HTTP\/1.1", "request_sample": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (webOS\/1.3; U; en-US) AppleWebKit\/525.27.1 (KHTML, like Gecko) Version\/1.0 Safari\/525.27.1 Desktop\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (webOS\/1.3; U; en-US) AppleWebKit\/525.27.1 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7509902ff0b807b6a57d372034f42bcd0034c9c3", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Moyen · 55
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 14 Recommandation Investiguer Tags 950470:nosqli-3 950514:leak-1 http_backup_file_scan http_sensitive_path Cible HTTP GET /.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.backup Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.backup Ligne de requête `GET /.env.backup HTTP/1.1` User-Agent Nokia3230/2.0 (5.0614.0) SymbianOS/7.0s Series60/2.1 Profile/MIDP-2.0 Configuration/CLDC-1.0 Règles WAF nosqli-3 leak-1 Payload (extrait) GET /.env.backup HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Nokia3230/2.0 (5.0614.0) SymbianOS/7.0s Series60/2.1 Profile/MIDP-2. Requête brute (extrait) GET /.env.backup HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Nokia3230/2.0 (5.0614.0) SymbianOS/7.0s Series60/2.1 Profile/MIDP-2.0 Configuration/CLDC-1.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "backup", "http_ua_hash": "ca029386f37c458f005b38decae94ad3bec334e5", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "0cdfae489c44fe084f54d0d07b1f18ad12bec86e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 221, "payload_entropy": 5.343050801902017, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 64, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8a695fe13f1e619d496fd77d97cce210a9ab0392", "event_fingerprint": "7e6b372eae0e2dd0ec1e8c5588c194fcef0b05e3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0192", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0192", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0192" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.backup" ], "pattern_ids": [ "pat-0191", "pat-0192" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3bd8e3ae6c2d0c3cf652daf12fc343d9", "payload_hash": "e075d1b75d9a23ed52626510515909f9", "path_pattern_hash": "46237bd90c824ac71e080a2ce5957ff9" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Nokia3230\/2.0 (5.0614.0) SymbianOS\/7.0s Series60\/2.1 Profile\/MIDP-2.", "method": "GET", "path": "\/.env.backup", "user_agent": "Nokia3230\/2.0 (5.0614.0) SymbianOS\/7.0s Series60\/2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.0", "waf_tags": [ "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/.env.backup HTTP\/1.1", "request_sample": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Nokia3230\/2.0 (5.0614.0) SymbianOS\/7.0s Series60\/2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Nokia3230\/2.0 (5.0614.0) SymbianOS\/7.0s Series60\/2.1 Profile\/MIDP-2.", "evidence": { "method": "GET", "path": "\/.env.backup", "user_agent": "Nokia3230\/2.0 (5.0614.0) SymbianOS\/7.0s Series60\/2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.0", "waf_tags": [ "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/.env.backup HTTP\/1.1", "request_sample": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Nokia3230\/2.0 (5.0614.0) SymbianOS\/7.0s Series60\/2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Nokia3230\/2.0 (5.0614.0) SymbianOS\/7.0s Series60\/2.1 Profile\/MIDP-2.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9633b987e91b772692ce9f3bf0226f8dde7b30e0", "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.qa TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.qa Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.qa HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux i686; en-us) AppleWebKit/528.5 (KHTML, like Gecko, Safari/528.5 ) lt-GtkLauncher Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.qa HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-us) AppleWebKit/528.5 (KHTML, like Requête brute (extrait) GET /.env.qa HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-us) AppleWebKit/528.5 (KHTML, like Gecko, Safari/528.5 ) lt-GtkLauncher Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "qa", "http_ua_hash": "d5b836205f4abee6a0fa02e202e4eb231d50b1a4", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "f6ca81fc6b63d491b34b08edc02f7c1a76039985", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 233, "payload_entropy": 5.35453353502706, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "0dceb56f76845aaa625e4da1511662c9d72dbddf", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2eb51026680a82596c3101bb0484ba19", "payload_hash": "021017ab9335752e4f52559bb26f4f02", "path_pattern_hash": "4ceac2fb8b154c5a9855e0056c339f6c" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.qa HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (KHTML, like ", "method": "GET", "path": "\/.env.qa", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (KHTML, like Gecko, Safari\/528.5 ) lt-GtkLauncher", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.qa HTTP\/1.1", "request_sample": "GET \/.env.qa HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (KHTML, like Gecko, Safari\/528.5 ) lt-GtkLauncher\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.qa HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (KHTML, like", "evidence": { "method": "GET", "path": "\/.env.qa", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (KHTML, like Gecko, Safari\/528.5 ) lt-GtkLauncher", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.qa HTTP\/1.1", "request_sample": "GET \/.env.qa HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (KHTML, like Gecko, Safari\/528.5 ) lt-GtkLauncher\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.qa HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (KHTML, like", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c9d6c7008684f2fd4187b56ea76ee6f3f89a6391", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.bak Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.bak HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/2008092814 (Debian-3.0.1-1) Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/2008092814 Requête brute (extrait) GET /.env.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/2008092814 (Debian-3.0.1-1) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "af95654136764219f3e1be062b59f67c138da948", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "4a5fcefd2e38e385c845c219c16c9499f238dece", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 213, "payload_entropy": 5.362763681972339, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "595840da1be29d2ca076649272f6970fd7608166", "event_fingerprint": "ce55d4f25056a79dfca1fe6677517e498ba49b92", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6ad009cbfe015d0ea51aa1bd68d4dfd3", "payload_hash": "f3280bc9c148ef3ddfc5d85c1ed0a10c", "path_pattern_hash": "e884c8b66a9cc0dbcd8816b9898313a2" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 ", "method": "GET", "path": "\/.env.bak", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.bak HTTP\/1.1", "request_sample": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814", "evidence": { "method": "GET", "path": "\/.env.bak", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.bak HTTP\/1.1", "request_sample": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b26533f4e087469902b9dbebca05abbdcd2013b8", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_probe_env", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.production.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.production.bak Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.production Ligne de requête `GET /.env.production.bak HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-N950F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.production.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-N950F) AppleWebKit/537.36 Requête brute (extrait) GET /.env.production.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-N950F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "414163d4817183722f788fb9f3b2b12ba4abc740", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "5e60aad91233f8359cb54318aa7e2c8c88640909", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.429738078855862, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "d80e6243fe2dd64f3f9c4a005da197761be2a955", "event_fingerprint": "8cc7073332c2cd0b2dbf6f15634003c612852ad3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0194" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.production" ], "pattern_ids": [ "pat-0191", "pat-0194" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b94debad114632e42aad99def17b56e9", "payload_hash": "1458c812266eebe4a7b8a2a479da5f5f", "path_pattern_hash": "46a3381311009be4b70c0ebd235fdb59" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.production.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/537.36 ", "method": "GET", "path": "\/.env.production.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.production.bak HTTP\/1.1", "request_sample": "GET \/.env.production.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/.env.production.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/.env.production.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.production.bak HTTP\/1.1", "request_sample": "GET \/.env.production.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/.env.production.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dfdabed6268f306947530fcb8814d481683d8549", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.test TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.test Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.test HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.test HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /.env.test HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "test", "http_ua_hash": "debb15a7d68aa336bc36ec7e628a2911a37d6393", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "4e40a92f813d5ab41a0033a3846a1a977ff1de23", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.37609429759141, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "df5c983269e09b4dbac024cb2a1abcaad316d886", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d60e0586986b6a343b0c6e2f32127712", "payload_hash": "47516131e70ddbf3a7537aa82e981fce", "path_pattern_hash": "d0f775cf96d71b1d76da4d08e462f07a" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/.env.test", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.test HTTP\/1.1", "request_sample": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/.env.test", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.test HTTP\/1.1", "request_sample": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d88c2529a4fc157db3ee4feecdcce9f69871672b", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.save TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.save Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.save HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.save HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /.env.save HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "save", "http_ua_hash": "f694f99cff565034e1e4fddf9aac9f1fdb313045", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "b6acd8fd883f6c293e3cda5fd50434818eb0b3df", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.42633697466993, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "456a2488f6f070abf37e3288dd5ea62e0d8b676a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6dc82c8a3d57f2110191f3d1c13c7a38", "payload_hash": "65fd2acc2755d83f11dfe784ea5e4239", "path_pattern_hash": "f8bd9e65b618d21d6e757070964bc6e1" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/.env.save", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.save HTTP\/1.1", "request_sample": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/.env.save", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.save HTTP\/1.1", "request_sample": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8146de63af221d15ee2a99762d07af0e0b6deda5", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.uat TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.uat Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.uat HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.uat HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /.env.uat HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "uat", "http_ua_hash": "96323db4774a74962d66398809039a9e7a9bbf62", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "66d1899261b7971a064fb81964052eae4ab44ccb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.402124662987955, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "7f0b867cd78b22f10aad6d7d283fccdb4c18a675", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3a62f28c6e0b8940384ceced2f595cf4", "payload_hash": "3324ceed623aa69fed51baee5a262303", "path_pattern_hash": "ae4cb14da8dffdd0fce54bdc9802bc13" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.uat HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/.env.uat", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.uat HTTP\/1.1", "request_sample": "GET \/.env.uat HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.uat HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/.env.uat", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.uat HTTP\/1.1", "request_sample": "GET \/.env.uat HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.uat HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHT", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "432111c1f9f219746dcda6490a6315a54918b1db", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.preprod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.preprod Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.preprod HTTP/1.1` User-Agent Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3178.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.preprod HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /.env.preprod HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3178.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "preprod", "http_ua_hash": "01b326db0c40500d584db9349c17954cd21e25ed", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "67166fa60459969a35e979b1c3340b3415271d3a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.436447147600104, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "a471f600d699a8aee2a5074b809fb0710d5b4928", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "537aecb83e5aee413afccc1ad56ed533", "payload_hash": "92d7c62bfe89430984c101bf44d02d45", "path_pattern_hash": "56c2098c6a61c7ac0db82c4db6400ced" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/.env.preprod", "user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.preprod HTTP\/1.1", "request_sample": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/.env.preprod", "user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.preprod HTTP\/1.1", "request_sample": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4f7d20854c258467e5ae9d0742435371b593229d", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.pre-production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.pre-production Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.pre-production HTTP/1.1` User-Agent Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/536.5 (KHTML like Gecko) Chrome/19.0.1084.56 Safari/536.5 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.pre-production HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/536.5 (KHTML li Requête brute (extrait) GET /.env.pre-production HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/536.5 (KHTML like Gecko) Chrome/19.0.1084.56 Safari/536.5 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "pre-production", "http_ua_hash": "4a9c540c7b75db1bce59b403ae39938bfd9f66ea", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "b0266a8b5f23aa7eb0ba5ad4711f86dc278bff09", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 239, "payload_entropy": 5.399164430777874, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "ef3c6e9c2325ec04b67041c51dde130b68d46dd6", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ba5f8a9f1007af1ce9fbf5f24465a28c", "payload_hash": "83b2837ad8a6aa52f8f8ef5b6e063432", "path_pattern_hash": "38db8d3279e3019bd5a23c153b1847d3" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.pre-production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/536.5 (KHTML li", "method": "GET", "path": "\/.env.pre-production", "user_agent": "Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/536.5 (KHTML like Gecko) Chrome\/19.0.1084.56 Safari\/536.5", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.pre-production HTTP\/1.1", "request_sample": "GET \/.env.pre-production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/536.5 (KHTML like Gecko) Chrome\/19.0.1084.56 Safari\/536.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.pre-production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/536.5 (KHTML li", "evidence": { "method": "GET", "path": "\/.env.pre-production", "user_agent": "Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/536.5 (KHTML like Gecko) Chrome\/19.0.1084.56 Safari\/536.5", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.pre-production HTTP\/1.1", "request_sample": "GET \/.env.pre-production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/536.5 (KHTML like Gecko) Chrome\/19.0.1084.56 Safari\/536.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.pre-production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/536.5 (KHTML li", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bb69ce297e05ecc7586c3820feef6b50040e6e54", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.default TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.default Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.default HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3876.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.default HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET /.env.default HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3876.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "default", "http_ua_hash": "32327fff8b51993e2a11eaa1f03a55f19f9a3e6a", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "437476297bcc04ccaf487ff217e9f02a35247fa6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 233, "payload_entropy": 5.431579827956073, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "88a57cd4627520e87c9221cbc9d97d569b55e7ef", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "374e594fff7d90fcc3f4c27b624d5da4", "payload_hash": "90329b85036a9e0858ab299293269b36", "path_pattern_hash": "ef22944b80bfbabaa71a03775ffca265" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/.env.default", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.default HTTP\/1.1", "request_sample": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/.env.default", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.default HTTP\/1.1", "request_sample": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c65f183ddaecb3324618f2999d87cb0ef70adab0", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.sample TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.sample Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.sample HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.49 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.sample HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 ( Requête brute (extrait) GET /.env.sample HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.49 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "sample", "http_ua_hash": "3e6e8fbfbb2fc8e4d9e44b508c85802f2f648e4e", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "095847d45b64fa9778f5b417101046355c7fb8b4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.40432581597928, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "6f045b509cc59bed01502e6fe159842545efd418", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e925462f978a08b5db201cbaeebc73ea", "payload_hash": "fb83cded12e0a717ad5801d8221b01c8", "path_pattern_hash": "124d2598962516d623c1414e60d74596" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.sample HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (", "method": "GET", "path": "\/.env.sample", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.49 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.sample HTTP\/1.1", "request_sample": "GET \/.env.sample HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.49 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.sample HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/.env.sample", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.49 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.sample HTTP\/1.1", "request_sample": "GET \/.env.sample HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.49 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.sample HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9dfd5b9d45241584fd6a44f457d00aeb49e9fc3c", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 29 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950470:nosqli-3 950514:leak-1 Cible HTTP GET /.env.development.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.development.local Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.development.local HTTP/1.1` User-Agent Mozilla/5.0 (OS/2; Warp 4.5; rv:31.0) Gecko/20100101 Firefox/31.0 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.development.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:31.0) Gecko/20100101 Fire Requête brute (extrait) GET /.env.development.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:31.0) Gecko/20100101 Firefox/31.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "3131488a786cb4a33228186f7cb8887816128962", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "44b27fcf42134edd5dc872c2c6f931dc026ceb76", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 205, "payload_entropy": 5.250932423050007, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 6, "anomaly_count": 0, "campaign_key": "2f1ad04b91375a661f651cfb4e2dbf59fb9dff7d", "event_fingerprint": "dac53427c52181067c0ffa8e252bb43a0b9680ae", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c5f74bd7cbd3ff8a80dc7d3f506cfad8", "payload_hash": "4ab3d4f4bd8cb270b3e61f4096493c11", "path_pattern_hash": "66b5346fea2c0f881a6004f5150ea85e" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:31.0) Gecko\/20100101 Fire", "method": "GET", "path": "\/.env.development.local", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:31.0) Gecko\/20100101 Firefox\/31.0", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.development.local HTTP\/1.1", "request_sample": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:31.0) Gecko\/20100101 Firefox\/31.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:31.0) Gecko\/20100101 Fire", "evidence": { "method": "GET", "path": "\/.env.development.local", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:31.0) Gecko\/20100101 Firefox\/31.0", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.development.local HTTP\/1.1", "request_sample": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:31.0) Gecko\/20100101 Firefox\/31.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:31.0) Gecko\/20100101 Fire", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0ecda66d8077f9ae3dbce32ab65eaf4b8bbe5704", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.stage TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.stage Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.stage HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.stage HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /.env.stage HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "stage", "http_ua_hash": "78b5ce573f8bf720549aba6289877bc57c1ff5e2", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "3b1f09925d833e9c8b11c15969735e676c352e02", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.413308230560952, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "403fd0a03ba796a2686dc9b93a563137de3f5042", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "912d30cca638bf5acc269d96a2dbe209", "payload_hash": "69a4cb1ff0d5a8bf4b7f7a798b5333cc", "path_pattern_hash": "41bc8d05ec3b934057692a81f7d48c57" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.stage HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/.env.stage", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.stage HTTP\/1.1", "request_sample": "GET \/.env.stage HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.stage HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/.env.stage", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.stage HTTP\/1.1", "request_sample": "GET \/.env.stage HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.stage HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6a34780e4fa7c1f541a285de3d3e19d349a636cd", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.copy TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.copy Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.copy HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; OpenBSD i386; en-US) AppleWebKit/533.3 (KHTML, like Gecko) Chrome/5.0.359.0 Safari/533.3 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.copy HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; U; OpenBSD i386; en-US) AppleWebKit/533.3 (KHTML, li Requête brute (extrait) GET /.env.copy HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; U; OpenBSD i386; en-US) AppleWebKit/533.3 (KHTML, like Gecko) Chrome/5.0.359.0 Safari/533.3 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "copy", "http_ua_hash": "e74708deae113493572483019a104f10353264d1", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "7c2ae66345773d74e41beccb46e084de01a9b535", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 236, "payload_entropy": 5.381327144052919, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "e998f00a11d18c349d459f4cce906e81f076e106", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "303c1cd87a80ad01baaf5ef595433fd7", "payload_hash": "20e5fcac72aee436b5122cd32751f25e", "path_pattern_hash": "1582af18ca1ce6e54d4467e471b637e8" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD i386; en-US) AppleWebKit\/533.3 (KHTML, li", "method": "GET", "path": "\/.env.copy", "user_agent": "Mozilla\/5.0 (X11; U; OpenBSD i386; en-US) AppleWebKit\/533.3 (KHTML, like Gecko) Chrome\/5.0.359.0 Safari\/533.3", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.copy HTTP\/1.1", "request_sample": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD i386; en-US) AppleWebKit\/533.3 (KHTML, like Gecko) Chrome\/5.0.359.0 Safari\/533.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD i386; en-US) AppleWebKit\/533.3 (KHTML, li", "evidence": { "method": "GET", "path": "\/.env.copy", "user_agent": "Mozilla\/5.0 (X11; U; OpenBSD i386; en-US) AppleWebKit\/533.3 (KHTML, like Gecko) Chrome\/5.0.359.0 Safari\/533.3", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.copy HTTP\/1.1", "request_sample": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD i386; en-US) AppleWebKit\/533.3 (KHTML, like Gecko) Chrome\/5.0.359.0 Safari\/533.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD i386; en-US) AppleWebKit\/533.3 (KHTML, li", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3c7e4afbe0a76cc262e25ac6571bf083a41cd03e", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }

8.230.14.61

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence