Détails IP 8.230.14.61

Synthèse exécutive

Profil de menace

Score de risque 69/100 Élevé

Première observation 04/06/2026 23:22 UTC

Dernière observation 04/06/2026 23:22 UTC

Événements (période) 302

MITRE ATT&CK principal —

risque 69/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%

Comparaison ASN / FAI

ASN 396982 · 8.230.0.0/19 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 302 événements sur la période pour cette IP.

35.233.42.65 Sonde port 189/TCP 20/06/2026 03:16 UTC
34.62.36.252 Sonde port 8622/TCP 20/06/2026 03:16 UTC
34.78.23.28 Scan vulnérabilités 20/06/2026 03:16 UTC
34.79.87.63 Sonde port 12225/TCP 20/06/2026 03:16 UTC
34.77.166.77 Sonde port 10250/TCP 20/06/2026 03:16 UTC
205.210.31.96 Scanner web 20/06/2026 03:14 UTC
35.241.166.201 Sonde port 5901/TCP 20/06/2026 03:14 UTC
162.216.150.114 Scanner web 20/06/2026 03:08 UTC

Événements (filtres)

302

Première observation

04/06/2026 23:22 UTC

Dernière observation

04/06/2026 23:22 UTC

Dernière activité (filtres)

04/06/2026 23:22 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

—

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 151 TLS TCP 151

HTTP

151

TLS

151

Géolocalisation

Origine réseau déclarée

Corée du Sud unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 82 config_file_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Aperçu payload

GET /portal/.env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit/537.36 (KH

Port / service

Recommandation

Investiguer

Confiance

100%

Famille de menace

path_traversal config_leak_scan

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

302 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

302 événement(s) — page 4/7

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.production Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.production Ligne de requête `GET /.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.production HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/537 Requête brute (extrait) GET /.env.production HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "production", "http_ua_hash": "67cd2aa88754575f856c2edf38d4b5159963a959", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "9b39fa6529cda07275007291b337879405a04c62", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.380797471000544, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "85265d4678826b41903cc2acd448d90c34df2ca0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0194" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.production" ], "pattern_ids": [ "pat-0191", "pat-0194" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "57322d07efe3c4afc6e4b5dae3823bbb", "payload_hash": "b22cc863d9523282818606c1c817c7ba", "path_pattern_hash": "a397c8c79032c8a19624fdccf1ae5680" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537", "method": "GET", "path": "\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production HTTP\/1.1", "request_sample": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production HTTP\/1.1", "request_sample": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7285f5fe65fd3c959601e996c922d880e8ca772b", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.local Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.local Ligne de requête `GET /.env.local HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko Requête brute (extrait) GET /.env.local HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "ea4fa585ac15d157c47f34ea7de09f788feba735", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "1bd3d14a0dcd500ff7a77dd7b961ff8960851334", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 232, "payload_entropy": 5.425778177538051, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "f7c32cfa0fd066353c85c7257924993a31f6c681", "event_fingerprint": "951685301f50a7374617da698a2faa0bcfc093e0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0193", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0193", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0193" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.local" ], "pattern_ids": [ "pat-0191", "pat-0193" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d82cefaf22eda39f47cd4260363c44b1", "payload_hash": "737e469de346e703907faeb96c4bf7e7", "path_pattern_hash": "b9c24fc1b97f40588adfd0796c248786" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "method": "GET", "path": "\/.env.local", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.local HTTP\/1.1", "request_sample": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "evidence": { "method": "GET", "path": "\/.env.local", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.local HTTP\/1.1", "request_sample": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9c213b7fe9f2007a30e359abc9de337a82eb0188", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_env_local", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	probe env	Élevée	Moyen · 43
Étape Sonde / probe MITRE TA0007 TA0001 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 http_probe_env Cible HTTP GET /env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /env Pourquoi cette classification : Type « probe_env » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/76.0.3809.100 Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubunt Requête brute (extrait) GET /env HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/76.0.3809.100 Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "30b58e96275c900437bd1f3094408c62741a5ff9", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "ebac263a482818b6e7a922df98cc560bbc808a0a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.453792074537061, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 60, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 50, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 43, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d4f261cc58d987ae38e30802dcf5149525665feb", "event_fingerprint": "afd04fbb1d283d8f03fc7de86c54e3af19d0e7ba", "classification_reason": "Type \u00ab probe_env \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 55, "precision_signals": [ "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-upstream", "INT-waf-score" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5375c656c4ef272e50ec4b6236a30a31", "payload_hash": "a96721de2804277ca89a9dfae86134ba", "path_pattern_hash": "1a3ee8c5f071bd935c8a12206727587a" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubunt", "method": "GET", "path": "\/env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.100 Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env HTTP\/1.1", "request_sample": "GET \/env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.100 Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubunt", "evidence": { "method": "GET", "path": "\/env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.100 Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env HTTP\/1.1", "request_sample": "GET \/env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.100 Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubunt", "classification_reason": "Type \u00ab probe_env \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "52dcbe2a9b1df9015ecfb3d81d59bd378b7c786b", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_probe_env" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.dev TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.dev Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.dev HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.dev HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /.env.dev HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "dev", "http_ua_hash": "1675a6241aef378419b2faf61ba95fdf969cb594", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "a499321530f3e4ddd283e6792cf6d67b1e7cfe88", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.4051982473064415, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "b69f8e684c1e581c73995666492c6e201fccb934", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "05a8df2e511067e69ae92cd3e128e848", "payload_hash": "fb826dc9c5aeaaea4f53d92b41b897d3", "path_pattern_hash": "ceb221ca10f5b573c09ea91320781e08" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/.env.dev", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.dev HTTP\/1.1", "request_sample": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/.env.dev", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.dev HTTP\/1.1", "request_sample": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHT", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "83d91a55096ad1f52763c6215a970a2b90b433f5", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 22 Recommandation Investiguer Tags 950470:nosqli-3 950514:leak-1 950521:leak-8 http_backup_file_scan Cible HTTP GET /.env.prod.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.prod.bak Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.prod.bak HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063 Règles WAF nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.prod.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Geck Requête brute (extrait) GET /.env.prod.bak HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "e67fa2801df69ab92cbb0f351843999eeade2e68", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "e79ede117a02a11b4e7051104a60cdf42ee84dde", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.376128448497844, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 96, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 96, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 6, "anomaly_count": 0, "campaign_key": "a09d4c1eef2d93af93aff3d00c4091a4d7337b1b", "event_fingerprint": "079121f0fad73940a4c09938593f13d2b69f4c39", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f40e7cfeaf59b8c5a1ceb0ecb0e5dbfa", "payload_hash": "838d122c5658c89468325962b1da99a8", "path_pattern_hash": "b6f3643e7f32a1b4084c7ae038946cd0" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.prod.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Geck", "method": "GET", "path": "\/.env.prod.bak", "user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36 Edge\/15.15063", "waf_tags": [ "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.prod.bak HTTP\/1.1", "request_sample": "GET \/.env.prod.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36 Edge\/15.15063\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.prod.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Geck", "evidence": { "method": "GET", "path": "\/.env.prod.bak", "user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36 Edge\/15.15063", "waf_tags": [ "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.prod.bak HTTP\/1.1", "request_sample": "GET \/.env.prod.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36 Edge\/15.15063\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.prod.bak HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Geck", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9f93f1708e657bb50dfc749b4514374068d7718f", "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 28 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950470:nosqli-3 950514:leak-1 Cible HTTP GET /.env.live TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.live Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « sqli-21 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.live HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16D57 MicroMessenger/7.0.5(0x17000523) NetType/WIFI Language/zh_CN Règles WAF sqli-21 rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.live HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit/6 Requête brute (extrait) GET /.env.live HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16D57 MicroMessenger/7.0.5(0x17000523) NetType/WIFI Language/zh_CN Accept-Charset: utf-8 Ac Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "live", "http_ua_hash": "83ee0834b60be67a9e2abde255ad72992dca2c81", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "6ac4c96f7567e632cc17c82931a457152d6117b9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 298, "payload_entropy": 5.471611024679665, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 6, "anomaly_count": 0, "campaign_key": "47f4bda603965bf019ec9d3eb37f7fa71b2faa13", "event_fingerprint": "9d795a063cfa78a857619e52cc360e86ebaa8a4c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "51c99b6efb8efd14a2242b25b0e96d8a", "payload_hash": "7e79977d62a68bacdced0cf399faf1fa", "path_pattern_hash": "0bb869934ccc3c32135ba9dd6550d1cf" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.live HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/6", "method": "GET", "path": "\/.env.live", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16D57 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.live HTTP\/1.1", "request_sample": "GET \/.env.live HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16D57 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf-8\r\nAc", "payload_snippet": "GET \/.env.live HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/6", "evidence": { "method": "GET", "path": "\/.env.live", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16D57 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.live HTTP\/1.1", "request_sample": "GET \/.env.live HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16D57 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf-8\r\nAc", "payload_snippet": "GET \/.env.live HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/6", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d8f8f3992682da94a3f4a3651a17d57bae9c553b", "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Moyen · 57
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 15 Recommandation Investiguer Tags 950326:rce-0 950514:leak-1 http_backup_file_scan http_sensitive_path Cible HTTP GET /.env.backup.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.backup.txt Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.backup Ligne de requête `GET /.env.backup.txt HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Règles WAF rce-0 leak-1 Payload (extrait) GET /.env.backup.txt HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser Requête brute (extrait) GET /.env.backup.txt HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Accept-C Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c8f58d748399180805eaaeee0454038e043d96b9", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "184b58f152ad4847d3c68a03f1b63b5f06475d83", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 315, "payload_entropy": 5.315166407123111, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 68, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 68, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c18a5ab83b8b6829eeadace0259817ea92327901", "event_fingerprint": "2c50fd7e4a62967980f358b1fca3a2a942b64480", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0192", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0192", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0192" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.backup" ], "pattern_ids": [ "pat-0191", "pat-0192" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "28ca8b6fccda72430248080823299054", "payload_hash": "03bf6ee0036de85ccbd4c4bcabab3053", "path_pattern_hash": "34c4e8aec1933ec66edde754c405cd53" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.backup.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser", "method": "GET", "path": "\/.env.backup.txt", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)", "waf_tags": [ "950326:rce-0", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "leak-1" ], "request_line": "GET \/.env.backup.txt HTTP\/1.1", "request_sample": "GET \/.env.backup.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\r\nAccept-C", "payload_snippet": "GET \/.env.backup.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser", "evidence": { "method": "GET", "path": "\/.env.backup.txt", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)", "waf_tags": [ "950326:rce-0", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "leak-1" ], "request_line": "GET \/.env.backup.txt HTTP\/1.1", "request_sample": "GET \/.env.backup.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\r\nAccept-C", "payload_snippet": "GET \/.env.backup.txt HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "60c5cdd8b349e96ee1877e5813e1135d5e60e18d", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.docker TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.docker Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.docker HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; MI 9) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.docker HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; MI 9) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /.env.docker HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 9; MI 9) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "docker", "http_ua_hash": "637ce5322bb77a61de6800d960f9df95080fd8e7", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "fffaa1342f06e8670d7edda0bc9461e93e4a0f1f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.397309573052148, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "66efb454448cab13d246d6f4b615a0838b7ec463", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d14870c6fbb2acb77d15af60a1d43119", "payload_hash": "4d721e3eba3d766d089fb0c2dce66b40", "path_pattern_hash": "4424df1cf14166f6194446e711e46b03" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like", "method": "GET", "path": "\/.env.docker", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.docker HTTP\/1.1", "request_sample": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/.env.docker", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.docker HTTP\/1.1", "request_sample": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e37a4aee74bfc0e824172e828ddd40a9faf03596", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Tentative d'exploit	Élevée	Moyen · 60
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950521:leak-8 http_backup_path Cible HTTP GET /env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /env.old Pourquoi cette classification : Tentative d'exploit (tag rce-0) · Sonde fichier sensible / config · confiance 62% Confiance classification 62% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /env.old HTTP/1.1` User-Agent Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-8 Payload (extrait) GET /env.old HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) C Requête brute (extrait) GET /env.old HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "5c62382c707e3594f9b439b35099cfa8d48abbcf", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "f2c0dc89039abb7b503900ef73d0ee05f89133ed", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 230, "payload_entropy": 5.418702817640897, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 72, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 60, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f9c798af4c23e1f8397bfe547a975e9d28dbe076", "event_fingerprint": "21a5a375aa5b9314a23ebbd4adf874cd892e5313", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1aa9a3b607358d5fc8539c161a50040b", "payload_hash": "e7d4eb04b9032ab012f4e7db987a64b0", "path_pattern_hash": "7cac178e79fe10bf41da42670526b73d" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) C", "method": "GET", "path": "\/env.old", "user_agent": "Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/env.old HTTP\/1.1", "request_sample": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) C", "evidence": { "method": "GET", "path": "\/env.old", "user_agent": "Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/env.old HTTP\/1.1", "request_sample": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) C", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4849bc127f556041f1c4aa9801cbca7c20ca8353", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8", "http_backup_path", "http_probe_env" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 96 }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.orig TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.orig Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.orig HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.orig HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like G Requête brute (extrait) GET /.env.orig HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "orig", "http_ua_hash": "c4f9fc5dab517f1171c190ebc0e99035f227fb6d", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "a5360e8b4c24130ce7b83ff2db501eac1df0996e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.4273786258613255, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "a3eec227a2b61471f0393fa52bf46ea5340c5e2d", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "338a2972088f66eeba21d51a814a5fbc", "payload_hash": "d8c606c9b713e13810996389ff102232", "path_pattern_hash": "74a5485724e3b49c70feec62176e92c9" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like G", "method": "GET", "path": "\/.env.orig", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.orig HTTP\/1.1", "request_sample": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like G", "evidence": { "method": "GET", "path": "\/.env.orig", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.orig HTTP\/1.1", "request_sample": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like G", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d2d96af820a75e631c5f845f1c2344785c0aa04", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	http	Sonde fichier configuration	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.dist TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /.env.dist Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.dist HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.dist HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit/537.36 (KHTML, l Requête brute (extrait) GET /.env.dist HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "dist", "http_ua_hash": "437bd15ff58b2f59ab74723917d34ccc4b225b07", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "a8dbdb551defc236b9cece3e75d9b78bd8bedf29", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.436595302203969, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fbe1d785ce08b33cf30d663b41036d313e76255", "event_fingerprint": "9e7c8527cbc30bf41fcc055f40a9c45a1d9b4f43", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "25c221e4c832d379f43feb5348f480df", "payload_hash": "f3ee635f0377f224d7907a9c878d35c7", "path_pattern_hash": "dca3f24e2bb7c842c1b47abf4a5e3131" }, "target_context": { "dst_port": 82, "service": "http" }, "payload_preview": "GET \/.env.dist HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, l", "method": "GET", "path": "\/.env.dist", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.dist HTTP\/1.1", "request_sample": "GET \/.env.dist HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.dist HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, l", "evidence": { "method": "GET", "path": "\/.env.dist", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.dist HTTP\/1.1", "request_sample": "GET \/.env.dist HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.dist HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, l", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2524d63829493978d0e24327c65748deaa116688", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��5�]x�uxRx��~(�nY٪��jrZw�� }?~��cw�s2��YL�`��E�2�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��5�]x�uxRx��~(�nY٪��jrZw�� }?~��cw�s2��YL�`��E�2�&�+�/�,�0̨̩� �� /5� w �+3&$ �@�/w�Y�g��.��s��[�N�"(. Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.748571116232844, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "072fdc7776a89b14325eed883ca97b94", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035\u0001\ufffd]x\ufffduxRx\ufffd\ufffd\ufffd\ufffd~(\ufffdn\u001eY\u066a\ufffd\u0002\ufffdjrZw\ufffd\ufffd\ufffd \ufffd\ufffd}?~\ufffd\ufffd\ufffd\ufffdcw\ufffd\bs2\ufffd\ufffd\ufffdYL\ufffd`\ufffd\ufffd\ufffd\u0004\ufffdE\ufffd2\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035\u0001\ufffd]x\ufffduxRx\ufffd\ufffd\ufffd\ufffd~(\ufffdn\u001eY\u066a\ufffd\u0002\ufffdjrZw\ufffd\ufffd\ufffd \ufffd\ufffd}?~\ufffd\ufffd\ufffd\ufffdcw\ufffd\bs2\ufffd\ufffd\ufffdYL\ufffd`\ufffd\ufffd\ufffd\u0004\ufffdE\ufffd2\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd@\ufffd\/\u001dw\u0007\u0015\ufffdY\ufffdg\ufffd\ufffd.\ufffd\ufffds\ufffd\ufffd\u0007\ufffd\ufffd\ufffd[\ufffdN\ufffd\"(.", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035\u0001\ufffd]x\ufffduxRx\ufffd\ufffd\ufffd\ufffd~(\ufffdn\u001eY\u066a\ufffd\u0002\ufffdjrZw\ufffd\ufffd\ufffd \ufffd\ufffd}?~\ufffd\ufffd\ufffd\ufffdcw\ufffd\bs2\ufffd\ufffd\ufffdYL\ufffd`\ufffd\ufffd\ufffd\u0004\ufffdE\ufffd2\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035\u0001\ufffd]x\ufffduxRx\ufffd\ufffd\ufffd\ufffd~(\ufffdn\u001eY\u066a\ufffd\u0002\ufffdjrZw\ufffd\ufffd\ufffd \ufffd\ufffd}?~\ufffd\ufffd\ufffd\ufffdcw\ufffd\bs2\ufffd\ufffd\ufffdYL\ufffd`\ufffd\ufffd\ufffd\u0004\ufffdE\ufffd2\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd@\ufffd\/\u001dw\u0007\u0015\ufffdY\ufffdg\ufffd\ufffd.\ufffd\ufffds\ufffd\ufffd\u0007\ufffd\ufffd\ufffd[\ufffdN\ufffd\"(.", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035\u0001\ufffd]x\ufffduxRx\ufffd\ufffd\ufffd\ufffd~(\ufffdn\u001eY\u066a\ufffd\u0002\ufffdjrZw\ufffd\ufffd\ufffd \ufffd\ufffd}?~\ufffd\ufffd\ufffd\ufffdcw\ufffd\bs2\ufffd\ufffd\ufffdYL\ufffd`\ufffd\ufffd\ufffd\u0004\ufffdE\ufffd2\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cb205f80c65b83e91965a4796f68d1ea56b0a98e", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��;�#��k��@ͼG��L-(�'sZ��j (K2�sa.��2��u��@fW͢��P {�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��;�#��k��@ͼG��L-(�'s Z��j (K2�sa.��2��u��@fW͢��P {�&�+�/�,�0̨̩� �� /5� w �+3&$ �2 �5� b�"��N��N��:�N Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.792711748572247, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "5aa21adcc3b725ad2185661688b8126d", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd@\u0001\u037cG\ufffd\ufffd\ufffdL-(\ufffd's\u000bZ\ufffd\u0017\ufffdj (K2\ufffdsa.\ufffd\ufffd\ufffd2\ufffd\ufffdu\u000f\ufffd\ufffd@fW\u0362\ufffd\ufffd\ufffd\ufffdP\u0011\u000f\t{\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd@\u0001\u037cG\ufffd\ufffd\ufffdL-(\ufffd's\u000bZ\ufffd\u0017\ufffdj (K2\ufffdsa.\ufffd\ufffd\ufffd2\ufffd\ufffdu\u000f\ufffd\ufffd@fW\u0362\ufffd\ufffd\ufffd\ufffdP\u0011\u000f\t{\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd2 \ufffd5\ufffd\u000bb\ufffd\"\u0006\ufffd\ufffd\ufffd\ufffd\u0004N\ufffd\ufffd\u0010\ufffd\u0016\ufffdN\ufffd\ufffd\u0019:\ufffdN\u000e", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd@\u0001\u037cG\ufffd\ufffd\ufffdL-(\ufffd's\u000bZ\ufffd\u0017\ufffdj (K2\ufffdsa.\ufffd\ufffd\ufffd2\ufffd\ufffdu\u000f\ufffd\ufffd@fW\u0362\ufffd\ufffd\ufffd\ufffdP\u0011\u000f\t{\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd@\u0001\u037cG\ufffd\ufffd\ufffdL-(\ufffd's\u000bZ\ufffd\u0017\ufffdj (K2\ufffdsa.\ufffd\ufffd\ufffd2\ufffd\ufffdu\u000f\ufffd\ufffd@fW\u0362\ufffd\ufffd\ufffd\ufffdP\u0011\u000f\t{\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd2 \ufffd5\ufffd\u000bb\ufffd\"\u0006\ufffd\ufffd\ufffd\ufffd\u0004N\ufffd\ufffd\u0010\ufffd\u0016\ufffdN\ufffd\ufffd\u0019:\ufffdN\u000e", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd@\u0001\u037cG\ufffd\ufffd\ufffdL-(\ufffd's\u000bZ\ufffd\u0017\ufffdj (K2\ufffdsa.\ufffd\ufffd\ufffd2\ufffd\ufffdu\u000f\ufffd\ufffd@fW\u0362\ufffd\ufffd\ufffd\ufffdP\u0011\u000f\t{\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "427bdea616149e4efe1fe8fc304ee608d5e781fe", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��5iʟ�>ӧ�5{�֪�$��X��JU�� [��Ex/򗷆�>��v��'��ޟ&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��5iʟ�>ӧ�5{�֪�$��X��JU�� [��Ex/򗷆�>��v��'��ޟ&�+�/�,�0̨̩� �� /5� w �+3&$ ��y��t�y �`�l`�ڞ��ڷ��$ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.836271824634965, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "80ddc1b9d68294ee8ec693c1218d6891", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035i\u029f\ufffd>\u04e7\ufffd5\u0014{\ufffd\u05aa\ufffd$\ufffd\ufffd\ufffdX\ufffd\ufffd\ufffd\ufffdJ\u0012\u0011U\ufffd\u0012\ufffd \ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\u0013\ufffdEx\/\uda1f\uddc6\ufffd>\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd\u079f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035i\u029f\ufffd>\u04e7\ufffd5\u0014{\ufffd\u05aa\ufffd$\ufffd\ufffd\ufffdX\ufffd\ufffd\ufffd\ufffdJ\u0012\u0011U\ufffd\u0012\ufffd \ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\u0013\ufffdEx\/\uda1f\uddc6\ufffd>\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd\u079f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdy\u0017\ufffd\ufffd\ufffd\ufffdt\ufffdy\r\f\ufffd`\ufffdl`\ufffd\u069e\ufffd\ufffd\ufffd\ufffd\ufffd\u06b7\ufffd\ufffd\ufffd$", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035i\u029f\ufffd>\u04e7\ufffd5\u0014{\ufffd\u05aa\ufffd$\ufffd\ufffd\ufffdX\ufffd\ufffd\ufffd\ufffdJ\u0012\u0011U\ufffd\u0012\ufffd \ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\u0013\ufffdEx\/\uda1f\uddc6\ufffd>\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd\u079f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035i\u029f\ufffd>\u04e7\ufffd5\u0014{\ufffd\u05aa\ufffd$\ufffd\ufffd\ufffdX\ufffd\ufffd\ufffd\ufffdJ\u0012\u0011U\ufffd\u0012\ufffd \ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\u0013\ufffdEx\/\uda1f\uddc6\ufffd>\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd\u079f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdy\u0017\ufffd\ufffd\ufffd\ufffdt\ufffdy\r\f\ufffd`\ufffdl`\ufffd\u069e\ufffd\ufffd\ufffd\ufffd\ufffd\u06b7\ufffd\ufffd\ufffd$", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035i\u029f\ufffd>\u04e7\ufffd5\u0014{\ufffd\u05aa\ufffd$\ufffd\ufffd\ufffdX\ufffd\ufffd\ufffd\ufffdJ\u0012\u0011U\ufffd\u0012\ufffd \ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\u0013\ufffdEx\/\uda1f\uddc6\ufffd>\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd\u079f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "479216ecb7fb2f3df11b48f1c65860f8a7e3a0e8", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Z�M��k�lV~�{G�~Grp.(_�)n�`# ҈�2axlT�iF-�طLΨD݌b�(\�1/O&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Z�M��k�lV~�{G�~Grp.(_�)n�`# ҈�2axlT�iF-�طLΨD݌b�(\�1/O&�+�/�,�0̨̩� �� /5� w �+3&$ VU�u�&��SEJ7�g�9��5 E Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.894656269550872, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "eabec2d2f0d968edb96f1e4b08b43cf5", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdZ\ufffdM\ufffd\u0016\ufffdk\ufffdlV~\ufffd{G\ufffd~Grp.(\u0006_\ufffd)n\ufffd`# \u0488\ufffd2axlT\ufffdiF-\b\ufffd\u0637L\u03a8D\u074cb\ufffd(\\\ufffd1\/\u000eO\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdZ\ufffdM\ufffd\u0016\ufffdk\ufffdlV~\ufffd{G\ufffd~Grp.(\u0006_\ufffd)n\ufffd`# \u0488\ufffd2axlT\ufffdiF-\b\ufffd\u0637L\u03a8D\u074cb\ufffd(\\\ufffd1\/\u000eO\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 VU\ufffd\u0010\u001cu\ufffd\u0006&\u0003\u001c\ufffd\ufffd\ufffdSEJ7\u001a\ufffdg\ufffd9\ufffd\ufffd5\t\u0019E", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdZ\ufffdM\ufffd\u0016\ufffdk\ufffdlV~\ufffd{G\ufffd~Grp.(\u0006_\ufffd)n\ufffd`# \u0488\ufffd2axlT\ufffdiF-\b\ufffd\u0637L\u03a8D\u074cb\ufffd(\\\ufffd1\/\u000eO\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdZ\ufffdM\ufffd\u0016\ufffdk\ufffdlV~\ufffd{G\ufffd~Grp.(\u0006_\ufffd)n\ufffd`# \u0488\ufffd2axlT\ufffdiF-\b\ufffd\u0637L\u03a8D\u074cb\ufffd(\\\ufffd1\/\u000eO\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 VU\ufffd\u0010\u001cu\ufffd\u0006&\u0003\u001c\ufffd\ufffd\ufffdSEJ7\u001a\ufffdg\ufffd9\ufffd\ufffd5\t\u0019E", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdZ\ufffdM\ufffd\u0016\ufffdk\ufffdlV~\ufffd{G\ufffd~Grp.(\u0006_\ufffd)n\ufffd`# \u0488\ufffd2axlT\ufffdiF-\b\ufffd\u0637L\u03a8D\u074cb\ufffd(\\\ufffd1\/\u000eO\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3ce442d5755fded62df49a0a245a7fd7934e3f51", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��7_j`�\|��K�[�ۗN�{��ac$�� ]/��Kѵ`��=!�X8v��4�`9&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��7_j`�\|��K�[�ۗN�{��ac$�� ]/��Kѵ`��=!�X8v��4�`9&�+�/�,�0̨̩� �� /5� w �+3&$ T��2!��<�K�Q��b� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.813272611376057, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "6293d592934c9e70273790dd5c0e4651", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd7_j`\ufffd\|\ufffd\ufffd\ufffdK\ufffd[\ufffd\u06d7\u0017N\ufffd{\ufffd\ufffdac$\ufffd\ufffd\ufffd\u0007 ]\/\ufffd\ufffd\u0015K\u0012\u0475\u0014`\u0001\ufffd\ufffd=!\ufffd\u001bX8v\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00174\ufffd`9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd7_j`\ufffd\|\ufffd\ufffd\ufffdK\ufffd[\ufffd\u06d7\u0017N\ufffd{\ufffd\ufffdac$\ufffd\ufffd\ufffd\u0007 ]\/\ufffd\ufffd\u0015K\u0012\u0475\u0014`\u0001\ufffd\ufffd=!\ufffd\u001bX8v\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00174\ufffd`9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 T\ufffd\ufffd\u0012\u001a2\u000f!\ufffd\ufffd\ufffd\u0018\ufffd\u0002\ufffd\u0006\ufffd<\ufffdK\ufffdQ\ufffd\ufffd\ufffd\ufffdb\ufffd\u0003\u0018", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd7_j`\ufffd\|\ufffd\ufffd\ufffdK\ufffd[\ufffd\u06d7\u0017N\ufffd{\ufffd\ufffdac$\ufffd\ufffd\ufffd\u0007 ]\/\ufffd\ufffd\u0015K\u0012\u0475\u0014`\u0001\ufffd\ufffd=!\ufffd\u001bX8v\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00174\ufffd`9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd7_j`\ufffd\|\ufffd\ufffd\ufffdK\ufffd[\ufffd\u06d7\u0017N\ufffd{\ufffd\ufffdac$\ufffd\ufffd\ufffd\u0007 ]\/\ufffd\ufffd\u0015K\u0012\u0475\u0014`\u0001\ufffd\ufffd=!\ufffd\u001bX8v\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00174\ufffd`9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 T\ufffd\ufffd\u0012\u001a2\u000f!\ufffd\ufffd\ufffd\u0018\ufffd\u0002\ufffd\u0006\ufffd<\ufffdK\ufffdQ\ufffd\ufffd\ufffd\ufffdb\ufffd\u0003\u0018", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd7_j`\ufffd\|\ufffd\ufffd\ufffdK\ufffd[\ufffd\u06d7\u0017N\ufffd{\ufffd\ufffdac$\ufffd\ufffd\ufffd\u0007 ]\/\ufffd\ufffd\u0015K\u0012\u0475\u0014`\u0001\ufffd\ufffd=!\ufffd\u001bX8v\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00174\ufffd`9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8ea2bbfc8c624f207c9b338d5d1fa749931cd8f6", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��/�P��6��dt�J��ቨ`��X� ��2މv0%WtpG��D�EmEi,G�y&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��/�P��6��dt�J��ቨ`��X� ��2މv0%WtpG��D�EmEi,G�y&�+�/�,�0̨̩� �� /5� w �+3&$ G��+d6u�!\|�prx� ��:�uWQ��^X' Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.82498786642568, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "b046adfcee770c9a5621b545eb7f2af2", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\/\ufffdP\ufffd\ufffd6\ufffd\ufffddt\ufffdJ\b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u1268`\ufffd\u0013\ufffdX\u001e\ufffd \u0006\ufffd\ufffd\u001f2\u0789v0%\u0004WtpG\ufffd\ufffd\ufffdD\u0005\u001a\ufffdEmEi,\u0015G\u001b\ufffdy\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\/\ufffdP\ufffd\ufffd6\ufffd\ufffddt\ufffdJ\b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u1268`\ufffd\u0013\ufffdX\u001e\ufffd \u0006\ufffd\ufffd\u001f2\u0789v0%\u0004WtpG\ufffd\ufffd\ufffdD\u0005\u001a\ufffdEmEi,\u0015G\u001b\ufffdy\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0018G\ufffd\ufffd+d6u\ufffd!\|\ufffdprx\ufffd\f\ufffd\ufffd:\ufffduWQ\ufffd\ufffd^X'", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\/\ufffdP\ufffd\ufffd6\ufffd\ufffddt\ufffdJ\b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u1268`\ufffd\u0013\ufffdX\u001e\ufffd \u0006\ufffd\ufffd\u001f2\u0789v0%\u0004WtpG\ufffd\ufffd\ufffdD\u0005\u001a\ufffdEmEi,\u0015G\u001b\ufffdy\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\/\ufffdP\ufffd\ufffd6\ufffd\ufffddt\ufffdJ\b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u1268`\ufffd\u0013\ufffdX\u001e\ufffd \u0006\ufffd\ufffd\u001f2\u0789v0%\u0004WtpG\ufffd\ufffd\ufffdD\u0005\u001a\ufffdEmEi,\u0015G\u001b\ufffdy\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0018G\ufffd\ufffd+d6u\ufffd!\|\ufffdprx*\ufffd\f\ufffd\ufffd:\ufffduWQ\ufffd\ufffd^X'", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\/\ufffdP\ufffd\ufffd6\ufffd\ufffddt\ufffdJ\b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u1268`\ufffd\u0013\ufffdX\u001e\ufffd \u0006\ufffd\ufffd\u001f2\u0789v0%\u0004WtpG\ufffd\ufffd\ufffdD\u0005\u001a\ufffdEmEi,\u0015G\u001b\ufffdy\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8826199f2ce6bb370ca542073b29f7d8611c1978", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��u)=��r��m�Q�5,�:��D��0�U� \8>T�1GydA��f��T��$52��X�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��u)=��r��m�Q�5,�:��D��0�U� \8>T �1GydA��f��T��$52��X�&�+�/�,�0̨̩� �� /5� w �+3&$ ��iΜ��2P�J��2�w�nDڵ\|X/ 8 Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.828235702529039, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "0946491a5e0d9ee4b2e4afb5d153bf5d", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdu)=\ufffd\u0014\ufffdr\ufffd\ufffdm\ufffdQ\ufffd5,\ufffd:\ufffd\ufffd\ufffdD\ufffd\ufffd\u001e\ufffd0\ufffdU\ufffd \\\b8>T\u000b\ufffd1GydA\u0001\ufffd\ufffd\ufffdf\ufffd\ufffdT\u000f\ufffd\ufffd$5\u00132\ufffd\u001b\ufffdX\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdu)=\ufffd\u0014\ufffdr\ufffd\ufffdm\ufffdQ\ufffd5,\ufffd:\ufffd\ufffd\ufffdD\ufffd\ufffd\u001e\ufffd0\ufffdU\ufffd \\\b8>T\u000b\ufffd1GydA\u0001\ufffd\ufffd\ufffdf\ufffd\ufffdT\u000f\ufffd\ufffd$5\u00132\ufffd\u001b\ufffdX\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\u0017i\u039c\ufffd\ufffd2\u0015P\ufffdJ\ufffd\u0004\ufffd2\ufffdw\ufffdnD\u0018\u06b5\|X\/ 8\f", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdu)=\ufffd\u0014\ufffdr\ufffd\ufffdm\ufffdQ\ufffd5,\ufffd:\ufffd\ufffd\ufffdD\ufffd\ufffd\u001e\ufffd0\ufffdU\ufffd \\\b8>T\u000b\ufffd1GydA\u0001\ufffd\ufffd\ufffdf\ufffd\ufffdT\u000f\ufffd\ufffd$5\u00132\ufffd\u001b\ufffdX\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdu)=\ufffd\u0014\ufffdr\ufffd\ufffdm\ufffdQ\ufffd5,\ufffd:\ufffd\ufffd\ufffdD\ufffd\ufffd\u001e\ufffd0\ufffdU\ufffd \\\b8>T\u000b\ufffd1GydA\u0001\ufffd\ufffd\ufffdf\ufffd\ufffdT\u000f\ufffd\ufffd$5\u00132\ufffd\u001b\ufffdX\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\u0017i\u039c\ufffd\ufffd2\u0015P\ufffdJ\ufffd\u0004\ufffd2\ufffdw\ufffdnD\u0018\u06b5\|X\/ 8\f", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdu)=\ufffd\u0014\ufffdr\ufffd\ufffdm\ufffdQ\ufffd5,\ufffd:\ufffd\ufffd\ufffdD\ufffd\ufffd\u001e\ufffd0\ufffdU\ufffd \\\b8>T\u000b\ufffd1GydA\u0001\ufffd\ufffd\ufffdf\ufffd\ufffdT\u000f\ufffd\ufffd$5\u00132\ufffd\u001b\ufffdX\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d3a032bc388f468c44c56c73eeb828b218b8d0f6", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��ǟ �w�߼�}�V�@��~<�g };��#� Lh��6t�mQ�x�R��1�z��9%g?I�+&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��ǟ �w�߼�}�V�@��~<�g };��#� Lh��6t�mQ�x�R��1�z��9%g?I�+&�+�/�,�0̨̩� �� /5� w �+3&$ ��H��7q�6��G !1��Z��t,v Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.83640504983336, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "996ea215220ff253cd82606d7b9aa9d8", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u01df\r\ufffdw\ufffd\u07fc\ufffd}\u0004\ufffdV\ufffd@\ufffd\ufffd~<\ufffdg\u000e }\u0000;\ufffd\u0006\ufffd#\ufffd Lh\ufffd\ufffd6t\ufffdmQ\ufffdx\ufffdR\ufffd\ufffd\ufffd\ufffd\u001a1\ufffdz\ufffd\ufffd\u0017\u00019%g?I\ufffd+\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u01df\r\ufffdw\ufffd\u07fc\ufffd}\u0004\ufffdV\ufffd@\ufffd\ufffd~<\ufffdg\u000e }\u0000;\ufffd\u0006\ufffd#\ufffd Lh\ufffd\ufffd6t\ufffdmQ\ufffdx\ufffdR\ufffd\ufffd\ufffd\ufffd\u001a1\ufffdz\ufffd\ufffd\u0017\u00019%g?I\ufffd+\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdH\ufffd\ufffd7q\ufffd6\ufffd\u0003\ufffd\ufffdG\t!1\ufffd\ufffd\ufffd\ufffd\u0001\u0003Z\ufffd\ufffd\u0015\ufffd\u001et,v", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u01df\r\ufffdw\ufffd\u07fc\ufffd}\u0004\ufffdV\ufffd@\ufffd\ufffd~<\ufffdg\u000e }\u0000;\ufffd\u0006\ufffd#\ufffd Lh\ufffd\ufffd6t\ufffdmQ\ufffdx\ufffdR\ufffd\ufffd\ufffd\ufffd\u001a1\ufffdz\ufffd\ufffd\u0017\u00019%g?I\ufffd+\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u01df\r\ufffdw\ufffd\u07fc\ufffd}\u0004\ufffdV\ufffd@\ufffd\ufffd~<\ufffdg\u000e }\u0000;\ufffd\u0006\ufffd#\ufffd Lh\ufffd\ufffd6t\ufffdmQ\ufffdx\ufffdR\ufffd\ufffd\ufffd\ufffd\u001a1\ufffdz\ufffd\ufffd\u0017\u00019%g?I\ufffd+\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdH\ufffd\ufffd7q\ufffd6\ufffd\u0003\ufffd\ufffdG\t!1\ufffd\ufffd\ufffd\ufffd\u0001\u0003Z\ufffd\ufffd\u0015\ufffd\u001et,v", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u01df\r\ufffdw\ufffd\u07fc\ufffd}\u0004\ufffdV\ufffd@\ufffd\ufffd~<\ufffdg\u000e }\u0000;\ufffd\u0006\ufffd#\ufffd Lh\ufffd\ufffd6t\ufffdmQ\ufffdx\ufffdR\ufffd\ufffd\ufffd\ufffd\u001a1\ufffdz\ufffd\ufffd\u0017\u00019%g?I\ufffd+\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "188e627aa4f0a552b82fb861dcec017278df8648", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �� y+��t��g}��fhM�/j^ ��YU��G=Io��A�-7�ȩ�PC��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� y+��t��g}��fhM�/j^ ��YU��G=Io��A�-7�ȩ�PC��&�+�/�,�0̨̩� �� /5� w �+3&$ h}��Ud��\�#��B�v<�s��=Jl�% Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.864854737886867, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "593c2a1f78c8f28f63c844d112fd2e9e", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\r\ufffdy+\ufffd\ufffdt\ufffd\ufffd\ufffdg}\ufffd\ufffd\u0003\ufffdfh\u0004M\ufffd\u0013\/j^ \u0016\ufffd\u001b\ufffdYU\ufffd\ufffd\ufffdG\u0015=Io\ufffd\ufffd\ufffdA\ufffd-\u00007\ufffd\u0229\ufffdPC\ufffd\u001f\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\r\ufffdy+\ufffd\ufffdt\ufffd\ufffd\ufffdg}\ufffd\ufffd\u0003\ufffdfh\u0004M\ufffd\u0013\/j^ \u0016\ufffd\u001b\ufffdYU\ufffd\ufffd\ufffdG\u0015=Io\ufffd\ufffd\ufffdA\ufffd-\u00007\ufffd\u0229\ufffdPC\ufffd\u001f\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 h}\ufffd\u0001\ufffd\ufffdUd\ufffd\u0010\ufffd\ufffd\ufffd\\\ufffd\u0002#\ufffd\ufffdB\ufffdv<\ufffds\ufffd\ufffd=Jl\ufffd%", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\r\ufffdy+\ufffd\ufffdt\ufffd\ufffd\ufffdg}\ufffd\ufffd\u0003\ufffdfh\u0004M\ufffd\u0013\/j^ \u0016\ufffd\u001b\ufffdYU\ufffd\ufffd\ufffdG\u0015=Io\ufffd\ufffd\ufffdA\ufffd-\u00007\ufffd\u0229\ufffdPC\ufffd\u001f\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\r\ufffdy+\ufffd\ufffdt\ufffd\ufffd\ufffdg}\ufffd\ufffd\u0003\ufffdfh\u0004M\ufffd\u0013\/j^ \u0016\ufffd\u001b\ufffdYU\ufffd\ufffd\ufffdG\u0015=Io\ufffd\ufffd\ufffdA\ufffd-\u00007\ufffd\u0229\ufffdPC\ufffd\u001f\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 h}\ufffd\u0001\ufffd\ufffdUd\ufffd\u0010\ufffd\ufffd\ufffd\\\ufffd\u0002#\ufffd\ufffdB\ufffdv<\ufffds\ufffd\ufffd=Jl\ufffd%", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\r\ufffdy+\ufffd\ufffdt\ufffd\ufffd\ufffdg}\ufffd\ufffd\u0003\ufffdfh\u0004M\ufffd\u0013\/j^ \u0016\ufffd\u001b\ufffdYU\ufffd\ufffd\ufffdG\u0015=Io\ufffd\ufffd\ufffdA\ufffd-\u0000*7\ufffd\u0229\ufffdPC\ufffd\u001f\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1676c6e6626a3d1420e4c4eed508127c40f8311f", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��A� '�$��뫞� �#`��?F1 "�u�N/X)UfxQ�ț�0sm �l��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��A� '�$��뫞� �#`��?F1 "�u�N/X)UfxQ�ț�0sm �l��&�+�/�,�0̨̩� �� /5� w �+3&$ �H�BT�f5�rg.��߀��wxk0��J Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.861134350112083, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "dffcdf581300fc72db635778dbdd96f4", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdA\ufffd\t\r'\ufffd\u0002\u0007$\ufffd\u0001\ufffd\ufffd\ubade\ufffd\t\ufffd#`\ufffd\ufffd\ufffd\ufffd\ufffd?F1 \"\ufffd\u0019u\ufffdN\/X)UfxQ\ufffd\u021b\ufffd0s\u0014m \ufffdl\ufffd\u0014\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdA\ufffd\t\r'\ufffd\u0002\u0007$\ufffd\u0001\ufffd\ufffd\ubade\ufffd\t\ufffd#`\ufffd\ufffd\ufffd\ufffd\ufffd?F1 \"\ufffd\u0019u\ufffdN\/X)UfxQ\ufffd\u021b\ufffd0s\u0014m \ufffdl\ufffd\u0014\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u001aH\ufffdBT\ufffdf5\ufffdrg.\ufffd\u001e\ufffd\u000e\u07c0\ufffd\ufffdw\u001cxk0\ufffd\ufffd\u0012\ufffd\u0001J", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdA\ufffd\t\r'\ufffd\u0002\u0007$\ufffd\u0001\ufffd\ufffd\ubade\ufffd\t\ufffd#`\ufffd\ufffd\ufffd\ufffd\ufffd?F1 \"\ufffd\u0019u\ufffdN\/X)UfxQ\ufffd\u021b\ufffd0s\u0014m \ufffdl\ufffd\u0014\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdA\ufffd\t\r'\ufffd\u0002\u0007$\ufffd\u0001\ufffd\ufffd\ubade\ufffd\t\ufffd#`\ufffd\ufffd\ufffd\ufffd\ufffd?F1 \"\ufffd\u0019u\ufffdN\/X)UfxQ\ufffd\u021b\ufffd0s\u0014m \ufffdl\ufffd\u0014\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u001aH\ufffdBT\ufffdf5\ufffdrg.\ufffd\u001e\ufffd\u000e\u07c0\ufffd\ufffdw\u001cxk0\ufffd\ufffd\u0012\ufffd\u0001J", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdA\ufffd\t\r'\ufffd\u0002\u0007$\ufffd\u0001\ufffd\ufffd\ubade\ufffd\t\ufffd#`\ufffd\ufffd\ufffd\ufffd\ufffd?F1 \"\ufffd\u0019u\ufffdN\/X)UfxQ\ufffd\u021b\ufffd0s\u0014m \ufffdl\ufffd\u0014\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c9c597c42668ad91ebda727215b0856751267fdb", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��z�>�2pt6<�I��Ma�oFף�w(&�� p�)�U ��R�� 'α��s]W��"&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��z�>�2pt 6<�I��Ma�oFף�w(&�� p�)�U ��R�� 'α��s]W��"&�+�/�,�0̨̩� �� /5� w �+3&$ eWm�^k�d�\|?�P[��7�=n��=&��; Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.921412057043325, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "0b1311aa7011eda694c552bae5751a6e", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdz\ufffd>\ufffd2pt\u000b6<\ufffdI\ufffd\ufffd\ufffdMa\ufffdo\u0013F\u001f\u05e3\ufffdw(&\ufffd\ufffd p\ufffd)\ufffdU\r\ufffd\ufffd\b\ufffd\u0005\u001c\ufffdR\u0012\ufffd\ufffd\u000f\n'\u03b1\ufffd\ufffds\u000e]W\ufffd\ufffd\"\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdz\ufffd>\ufffd2pt\u000b6<\ufffdI\ufffd\ufffd\ufffdMa\ufffdo\u0013F\u001f\u05e3\ufffdw(&\ufffd\ufffd p\ufffd)\ufffdU\r\ufffd\ufffd\b\ufffd\u0005\u001c\ufffdR\u0012\ufffd\ufffd\u000f\n'\u03b1\ufffd\ufffds\u000e]W\ufffd\ufffd\"\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 eWm\ufffd^k\ufffdd\ufffd\|?\ufffdP[\ufffd\ufffd\ufffd\ufffd7\ufffd=n\ufffd\ufffd\ufffd=&\ufffd\ufffd;\u0018", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdz\ufffd>\ufffd2pt\u000b6<\ufffdI\ufffd\ufffd\ufffdMa\ufffdo\u0013F\u001f\u05e3\ufffdw(&\ufffd\ufffd p\ufffd)\ufffdU\r\ufffd\ufffd\b\ufffd\u0005\u001c\ufffdR\u0012\ufffd\ufffd\u000f\n'\u03b1\ufffd\ufffds\u000e]W\ufffd\ufffd\"\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdz\ufffd>\ufffd2pt\u000b6<\ufffdI\ufffd\ufffd\ufffdMa\ufffdo\u0013F\u001f\u05e3\ufffdw(&\ufffd\ufffd p\ufffd)\ufffdU\r\ufffd\ufffd\b\ufffd\u0005\u001c\ufffdR\u0012\ufffd\ufffd\u000f\n'\u03b1\ufffd\ufffds\u000e]W\ufffd\ufffd\"\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 eWm\ufffd^k\ufffdd\ufffd\|?\ufffdP[\ufffd\ufffd\ufffd\ufffd7\ufffd=n\ufffd\ufffd\ufffd=&\ufffd\ufffd;\u0018", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdz\ufffd>\ufffd2pt\u000b6<\ufffdI\ufffd\ufffd\ufffdMa\ufffdo\u0013F\u001f\u05e3\ufffdw(&\ufffd\ufffd p\ufffd)\ufffdU\r\ufffd\ufffd\b\ufffd\u0005\u001c\ufffdR\u0012\ufffd\ufffd\u000f\n'\u03b1\ufffd\ufffds\u000e]W\ufffd\ufffd\"\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "91dd6f942f4f816ec8387c4e163c0af78ac473da", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��d�Ga�7e�ةE&:2��f=ĳd�� 5w�{��ٽ,�I)��P��ߓ�9�z�C&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��d�Ga�7e�ةE&:2��f=ĳd �� 5w�{��ٽ,�I)��P��ߓ�9�z�C&�+�/�,�0̨̩� �� /5� w �+3&$ &[�j��E:�_j�:K6p��><�ܢ&#��! Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.7661789910560035, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "6f7ac67737626e91c8c020ab3318ab2c", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0006d\ufffdGa\ufffd\u00137e\ufffd\u0016\u0629E&:2\ufffd\u0005\ufffd\ufffd\ufffdf=\u0015\u0133d\f\ufffd\ufffd \ufffd\ufffd5w\ufffd{\ufffd\ufffd\ufffd\u067d,\ufffdI)\ufffd\ufffd\u0005\ufffdP\ufffd\b\ufffd\u07d3\ufffd9\ufffdz\ufffdC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0006d\ufffdGa\ufffd\u00137e\ufffd\u0016\u0629E&:2\ufffd\u0005\ufffd\ufffd\ufffdf=\u0015\u0133d\f\ufffd\ufffd \ufffd\ufffd5w\ufffd{\ufffd\ufffd\ufffd\u067d,\ufffdI)\ufffd\ufffd\u0005\ufffdP\ufffd\b\ufffd\u07d3\ufffd9\ufffdz\ufffdC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 &[\ufffdj\ufffd\ufffdE:\ufffd_j\u0007\u0013\ufffd:K6p\ufffd\ufffd><\ufffd\u0722&#\ufffd\u0000\ufffd\ufffd!", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0006d\ufffdGa\ufffd\u00137e\ufffd\u0016\u0629E&:2\ufffd\u0005\ufffd\ufffd\ufffdf=\u0015\u0133d\f\ufffd\ufffd \ufffd\ufffd5w\ufffd{\ufffd\ufffd\ufffd\u067d,\ufffdI)\ufffd\ufffd\u0005\ufffdP\ufffd\b\ufffd\u07d3\ufffd9\ufffdz\ufffdC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0006d\ufffdGa\ufffd\u00137e\ufffd\u0016\u0629E&:2\ufffd\u0005\ufffd\ufffd\ufffdf=\u0015\u0133d\f\ufffd\ufffd \ufffd\ufffd5w\ufffd{\ufffd\ufffd\ufffd\u067d,\ufffdI)\ufffd\ufffd\u0005\ufffdP\ufffd\b\ufffd\u07d3\ufffd9\ufffdz\ufffdC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 &[\ufffdj\ufffd\ufffdE:\ufffd_j\u0007\u0013\ufffd:K6p\ufffd\ufffd><\ufffd\u0722&#\ufffd\u0000\ufffd\ufffd!", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0006d\ufffdGa\ufffd\u00137e\ufffd\u0016\u0629E*&:2\ufffd\u0005\ufffd\ufffd\ufffdf=\u0015\u0133d\f\ufffd\ufffd \ufffd\ufffd5w\ufffd{\ufffd\ufffd\ufffd\u067d,\ufffdI)\ufffd\ufffd\u0005\ufffdP\ufffd\b\ufffd\u07d3\ufffd9\ufffdz\ufffdC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "651fa310b728edb4305e6ce4abdfb29c8c64a5d5", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��z@��co��J��6�:�(��}�\|� �˷�@�:UO�UYt�R��N��Z>��+�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��z@��co��J��6�:�(��}�\|� �˷�@�:UO�UYt�R��N��Z>��+�&�+�/�,�0̨̩� �� /5� w �+3&$ �͜T�ÿ�_��WC�ĵC]�d�޹�A ��X Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.824921109423611, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "d90fe0b5b73978dae8373427601ea3d8", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd\ufffdz@\ufffd\ufffdco\ufffd\ufffd\ufffd\u0006J\ufffd\u0010\ufffd\ufffd6\ufffd:\ufffd(\u0010\ufffd\ufffd\u0002\ufffd}\ufffd\|\ufffd \ufffd\u02f7\ufffd@\ufffd:\u0003UO\ufffdUYt\ufffdR\ufffd\ufffdN\ufffd\u001f\u0003\ufffdZ>\ufffd\ufffd+\ufffd\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd\ufffdz@\ufffd\ufffdco\ufffd\ufffd\ufffd\u0006J\ufffd\u0010\ufffd\ufffd6\ufffd:\ufffd(\u0010\ufffd\ufffd\u0002\ufffd}\ufffd\|\ufffd \ufffd\u02f7\ufffd@\ufffd:\u0003UO\ufffdUYt\ufffdR\ufffd\ufffdN\ufffd\u001f\u0003\ufffdZ>\ufffd\ufffd+\ufffd\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u035cT\ufffd\u0003\u00ff\ufffd\u000f_\ufffd\ufffdWC\ufffd\u0135C]\ufffdd\ufffd\u07b9\ufffdA\t\ufffd\ufffdX", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd\ufffdz@\ufffd\ufffdco\ufffd\ufffd\ufffd\u0006J\ufffd\u0010\ufffd\ufffd6\ufffd:\ufffd(\u0010\ufffd\ufffd\u0002\ufffd}\ufffd\|\ufffd \ufffd\u02f7\ufffd@\ufffd:\u0003UO\ufffdUYt\ufffdR\ufffd\ufffdN\ufffd\u001f\u0003\ufffdZ>\ufffd\ufffd+\ufffd\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd\ufffdz@\ufffd\ufffdco\ufffd\ufffd\ufffd\u0006J\ufffd\u0010\ufffd\ufffd6\ufffd:\ufffd(\u0010\ufffd\ufffd\u0002\ufffd}\ufffd\|\ufffd \ufffd\u02f7\ufffd@\ufffd:\u0003UO\ufffdUYt\ufffdR\ufffd\ufffdN\ufffd\u001f\u0003\ufffdZ>\ufffd\ufffd+\ufffd\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u035cT\ufffd\u0003\u00ff\ufffd\u000f_\ufffd\ufffdWC\ufffd\u0135C]\ufffdd\ufffd\u07b9\ufffdA\t\ufffd\ufffdX", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd\ufffdz@\ufffd\ufffdco\ufffd\ufffd\ufffd\u0006J\ufffd\u0010\ufffd\ufffd6\ufffd:\ufffd(\u0010\ufffd\ufffd\u0002\ufffd}\ufffd\|\ufffd \ufffd\u02f7\ufffd@\ufffd:\u0003UO\ufffdUYt\ufffdR\ufffd*\ufffdN\ufffd\u001f\u0003\ufffdZ>\ufffd\ufffd+\ufffd\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0a5bdf7d8fc9fc4d3c70e1b87d56bfee258684a0", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��rz��b�yE���J��w2 ��S ��w��/p!O�-�\|��X�K�'c�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��rz��b�yE���J��w2 ��S ��w��/p!O�-�\|��X�K�'c�&�+�/�,�0̨̩� �� /5� w �+3&$ L)�v��@L)?�9?��)�0�� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.844748107266611, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "761096a8d48a77b8155ec3d364b94776", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdrz\ufffd\ufffd\ufffdb\ufffd\u0017yE\ufffd\u000e\ufffd\ufffd\u0010J\ufffd\ufffd\ufffd\ufffd\ufffdw2\r\ufffd\ufffd\ufffdS \n\ufffd\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\u0004\u0013\/p!O\ufffd\u0012-\ufffd\|\ufffd\ufffd\u001d\u0017X\u001c\ufffdK\ufffd'c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdrz\ufffd\ufffd\ufffdb\ufffd\u0017yE\ufffd\u000e\ufffd\ufffd\u0010J\ufffd\ufffd\ufffd\ufffd\ufffdw2\r\ufffd\ufffd\ufffdS \n\ufffd\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\u0004\u0013\/p!O\ufffd\u0012-\ufffd\|\ufffd\ufffd\u001d\u0017X\u001c\ufffdK\ufffd'c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 L)\ufffdv\ufffd\ufffd@L)?\u001a\ufffd9?\ufffd\ufffd\u000f\ufffd)\ufffd0\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\r", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdrz\ufffd\ufffd\ufffdb\ufffd\u0017yE\ufffd\u000e\ufffd\ufffd\u0010J\ufffd\ufffd\ufffd\ufffd\ufffdw2\r\ufffd\ufffd\ufffdS \n\ufffd\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\u0004\u0013\/p!O\ufffd\u0012-\ufffd\|\ufffd\ufffd\u001d\u0017X\u001c\ufffdK\ufffd'c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdrz\ufffd\ufffd\ufffdb\ufffd\u0017yE\ufffd\u000e\ufffd\ufffd\u0010J\ufffd\ufffd\ufffd\ufffd\ufffdw2\r\ufffd\ufffd\ufffdS \n\ufffd\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\u0004\u0013\/p!O\ufffd\u0012-\ufffd\|\ufffd\ufffd\u001d\u0017X\u001c\ufffdK\ufffd'c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 L)\ufffdv\ufffd\ufffd@L)?\u001a\ufffd9?\ufffd\ufffd\u000f\ufffd)\ufffd0\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\r", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdrz\ufffd\ufffd\ufffdb\ufffd\u0017yE\ufffd\u000e*\ufffd\ufffd\u0010J\ufffd\ufffd\ufffd\ufffd\ufffdw2\r\ufffd\ufffd\ufffdS \n\ufffd\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\u0004\u0013\/p!O\ufffd\u0012-\ufffd\|\ufffd\ufffd\u001d\u0017X\u001c\ufffdK\ufffd'c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "970f651e28c78bd9b28b7527847e4f7838d7a69e", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��.0�(�4fM`1�m�Q9��f��u�U\| � �R�ЛF9��u+�\9��w_{bf�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��.0�(�4fM`1�m�Q9��f��u�U\| � �R�ЛF9��u+�\9��w_{bf�&�+�/�,�0̨̩� �� /5� w �+3&$ ��c��2�.QT�i��l�(�ۜ��ϖ��~ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.812729522409182, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "ba16c4ae983fa8ae4642abdc094c6303", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.0\ufffd(\ufffd\u00144fM`1\ufffdm\ufffdQ9\ufffd\ufffd\ufffdf\ufffd\ufffd\ufffd\ufffd\u001b\ufffdu\ufffdU\| \u0011\ufffd\n\u0007\ufffdR\ufffd\u041bF9\ufffd\ufffd\ufffd\ufffdu\u0000+\ufffd\\9\ufffd\ufffd\ufffdw_\u0000{bf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.0\ufffd(\ufffd\u00144fM`1\ufffdm\ufffdQ9\ufffd\ufffd\ufffdf\ufffd\ufffd\ufffd\ufffd\u001b\ufffdu\ufffdU\| \u0011\ufffd\n\u0007\ufffdR\ufffd\u041bF9\ufffd\ufffd\ufffd\ufffdu\u0000+\ufffd\\9\ufffd\ufffd\ufffdw_\u0000{bf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffdc\ufffd\ufffd2\ufffd.QT\ufffdi\ufffd\ufffdl\ufffd(\ufffd\u06dc\ufffd\ufffd\u001e\ufffd\u03d6\ufffd\ufffd~\u0002", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.0\ufffd(\ufffd\u00144fM`1\ufffdm\ufffdQ9\ufffd\ufffd\ufffdf\ufffd\ufffd\ufffd\ufffd\u001b\ufffdu\ufffdU\| \u0011\ufffd\n\u0007\ufffdR\ufffd\u041bF9\ufffd\ufffd\ufffd\ufffdu\u0000+\ufffd\\9\ufffd\ufffd\ufffdw_\u0000{bf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.0\ufffd(\ufffd\u00144fM`1\ufffdm\ufffdQ9\ufffd\ufffd\ufffdf\ufffd\ufffd\ufffd\ufffd\u001b\ufffdu\ufffdU\| \u0011\ufffd\n\u0007\ufffdR\ufffd\u041bF9\ufffd\ufffd\ufffd\ufffdu\u0000+\ufffd\\9\ufffd\ufffd\ufffdw_\u0000{bf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffdc\ufffd\ufffd2\ufffd.QT\ufffdi\ufffd\ufffdl\ufffd(\ufffd\u06dc\ufffd\ufffd\u001e\ufffd\u03d6\ufffd\ufffd~\u0002", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.0\ufffd(\ufffd\u00144fM`1\ufffdm\ufffdQ9\ufffd\ufffd\ufffdf\ufffd\ufffd\ufffd\ufffd\u001b\ufffdu\ufffdU\| \u0011\ufffd\n\u0007\ufffdR\ufffd\u041bF9\ufffd\ufffd\ufffd\ufffdu\u0000+\ufffd\\9\ufffd\ufffd\ufffdw_\u0000{bf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c5e0791dfc46d9761fca877da4fb85df16b88673", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��\1��%��3��ְ�n�+ �~�46P��'h01O=��V��'��&&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��\1��%��3��ְ�n�+ �~�46P��'h01O=��V��'��&&�+�/�,�0̨̩� �� /5� w �+3&$ ��&օ�l��CF��3\��躎�8��EE Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.794074261110251, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "8b5a1aa93267c8e4541d06cc3423df04", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\ufffd\u0012\ufffd\\\u00061\ufffd\u0002\ufffd\ufffd%\ufffd\ufffd\ufffd3\ufffd\ufffd\ufffd\u05b0\ufffdn\ufffd+\u001a \ufffd\u001e~\ufffd\u0006\u000246P\u0014\ufffd\ufffd'h01O=\ufffd\ufffdV\ufffd\ufffd\ufffd\u0003\ufffd\ufffd'\ufffd\ufffd&\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\ufffd\u0012\ufffd\\\u00061\ufffd\u0002\ufffd\ufffd%\ufffd\ufffd\ufffd3\ufffd\ufffd\ufffd\u05b0\ufffdn\ufffd+\u001a \ufffd\u001e~\ufffd\u0006\u000246P\u0014\ufffd\ufffd'h01O=\ufffd\ufffdV\ufffd\ufffd\ufffd\u0003\ufffd\ufffd'\ufffd\ufffd&\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001a\ufffd\ufffd\ufffd&\u0585\u0017\ufffdl\ufffd\ufffd\ufffdCF\u0013\ufffd\ufffd3\\\ufffd\ufffd\u8e8e\ufffd8\ufffd\ufffdEE", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\ufffd\u0012\ufffd\\\u00061\ufffd\u0002\ufffd\ufffd%\ufffd\ufffd\ufffd3\ufffd\ufffd\ufffd\u05b0\ufffdn\ufffd+\u001a \ufffd\u001e~\ufffd\u0006\u000246P\u0014\ufffd\ufffd'h01O=\ufffd\ufffdV\ufffd\ufffd\ufffd\u0003\ufffd\ufffd'\ufffd\ufffd&\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\ufffd\u0012\ufffd\\\u00061\ufffd\u0002\ufffd\ufffd%\ufffd\ufffd\ufffd3\ufffd\ufffd\ufffd\u05b0\ufffdn\ufffd+\u001a \ufffd\u001e~\ufffd\u0006\u000246P\u0014\ufffd\ufffd'h01O=\ufffd\ufffdV\ufffd\ufffd\ufffd\u0003\ufffd\ufffd'\ufffd\ufffd&\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001a\ufffd\ufffd\ufffd&\u0585\u0017\ufffdl\ufffd\ufffd\ufffdCF\u0013\ufffd\ufffd3\\\ufffd\ufffd\u8e8e\ufffd8\ufffd\ufffdEE", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\ufffd\u0012\ufffd\\\u00061\ufffd\u0002\ufffd\ufffd%\ufffd\ufffd\ufffd3\ufffd\ufffd\ufffd\u05b0\ufffdn\ufffd+\u001a \ufffd\u001e~\ufffd\u0006\u000246P\u0014\ufffd\ufffd'h01O=\ufffd\ufffdV\ufffd\ufffd\ufffd\u0003\ufffd\ufffd'\ufffd\ufffd&\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "251231a632a2729254c16c92b66a798bfa0681a7", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��6K� 8j]-۵�6FianV3؎�9&ä ��@� xA�F��!_(�b��+x:8�>E�z5��[s^Vv&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��6K� 8j]-۵�6FianV3؎�9&ä ��@� xA�F��!_(�b��+x:8�>E�z5��[s^Vv&�+�/�,�0̨̩� �� /5� w �+3&$ ��j��60{Y�� D�'�X׌�zN� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.892355752118201, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "4a8916c51a999edb9c0b2d3629f57cd6", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00036K\ufffd\r8j]-\u06f5\u0016\ufffd6FianV3\u060e\ufffd9&\u00e4\r\ufffd\ufffd@\ufffd xA\u0001\ufffdF\ufffd\ufffd\ufffd!_(\ufffdb\ufffd\ufffd+x:8\ufffd>E\ufffdz5\ufffd\ufffd[s^Vv\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00036K\ufffd\r8j]-\u06f5\u0016\ufffd6FianV3\u060e\ufffd9&\u00e4\r\ufffd\ufffd@\ufffd xA\u0001\ufffdF\ufffd\ufffd\ufffd!_(\ufffdb\ufffd\ufffd+x:8\ufffd>E\ufffdz5\ufffd\ufffd[s^Vv\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd60{Y\ufffd\u001c\ufffd\ufffd\n\u000b\ufffd\ufffdD\ufffd'\u0016\ufffdX\u05cc\ufffdzN\ufffd\u001f", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00036K\ufffd\r8j]-\u06f5\u0016\ufffd6FianV3\u060e\ufffd9&\u00e4\r\ufffd\ufffd@\ufffd xA\u0001\ufffdF\ufffd\ufffd\ufffd!_(\ufffdb\ufffd\ufffd+x:8\ufffd>E\ufffdz5\ufffd\ufffd[s^Vv\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00036K\ufffd\r8j]-\u06f5\u0016\ufffd6FianV3\u060e\ufffd9&\u00e4\r\ufffd\ufffd@\ufffd xA\u0001\ufffdF\ufffd\ufffd\ufffd!_(\ufffdb\ufffd\ufffd+x:8\ufffd>E\ufffdz5\ufffd\ufffd[s^Vv\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd60{Y\ufffd\u001c\ufffd\ufffd\n\u000b\ufffd\ufffdD\ufffd'\u0016\ufffdX\u05cc\ufffdzN\ufffd\u001f", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00036K\ufffd\r8j]-\u06f5\u0016\ufffd6FianV3\u060e\ufffd9*&\u00e4\r\ufffd\ufffd@\ufffd xA\u0001\ufffdF\ufffd\ufffd\ufffd!_(\ufffdb\ufffd\ufffd+x:8\ufffd>E\ufffdz5\ufffd\ufffd[s^Vv\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "35deeddbb2f465972612e5b5282e119c3dc4f60c", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��kb�dO��H��0i%�N�VB��; ��\�e�:��pl��M�a�n~ɝ\"�!&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��kb�dO��H��0i%�N�VB��; ��\�e�:��pl��M�a�n~ɝ\"�!&�+�/�,�0̨̩� �� /5� w �+3&$ �� D�,��f��1��Z�\� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.810821495139027, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "d89343f40e35550d93f8cfd37d04d28f", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdkb\ufffddO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\u001e\u0007\ufffd\ufffd0i%\ufffdN\ufffdVB\ufffd\u0016\ufffd\u0002\ufffd; \ufffd\u0010\ufffd\\\ufffde\ufffd:\ufffd\ufffdpl\ufffd\ufffdM\ufffd\u001e\u0005a\u0003\ufffdn~\u025d\\\"\ufffd\u0012!\u0007\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdkb\ufffddO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\u001e\u0007\ufffd\ufffd0i%\ufffdN\ufffdVB\ufffd\u0016\ufffd\u0002\ufffd; \ufffd\u0010\ufffd\\\ufffde\ufffd:\ufffd\ufffdpl\ufffd\ufffdM\ufffd\u001e\u0005a\u0003\ufffdn~\u025d\\\"\ufffd\u0012!\u0007\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u000e\ufffd\r\ufffdD\ufffd\u001f,\u0001\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\ufffdf\ufffd\ufffd\u00131\ufffd\ufffd\ufffdZ\ufffd\\\u0018\ufffd\u000e", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdkb\ufffddO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\u001e\u0007\ufffd\ufffd0i%\ufffdN\ufffdVB\ufffd\u0016\ufffd\u0002\ufffd; \ufffd\u0010\ufffd\\\ufffde\ufffd:\ufffd\ufffdpl\ufffd\ufffdM\ufffd\u001e\u0005a\u0003\ufffdn~\u025d\\\"\ufffd\u0012!\u0007\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdkb\ufffddO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\u001e\u0007\ufffd\ufffd0i%\ufffdN\ufffdVB\ufffd\u0016\ufffd\u0002\ufffd; \ufffd\u0010\ufffd\\\ufffde\ufffd:\ufffd\ufffdpl\ufffd\ufffdM\ufffd\u001e\u0005a\u0003\ufffdn~\u025d\\\"\ufffd\u0012!\u0007\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u000e\ufffd\r\ufffdD\ufffd\u001f,\u0001\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\ufffdf\ufffd\ufffd\u00131\ufffd\ufffd\ufffdZ\ufffd\\\u0018\ufffd\u000e", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdkb\ufffddO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\u001e\u0007\ufffd\ufffd0i%\ufffdN\ufffdVB\ufffd\u0016\ufffd\u0002\ufffd; \ufffd\u0010\ufffd\\\ufffde\ufffd:\ufffd\ufffdpl\ufffd\ufffdM\ufffd\u001e\u0005a\u0003\ufffdn~\u025d\\\"\ufffd\u0012!\u0007\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f201e54ffb5cd377ad68e09fc75ac7b7c715bae9", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��;�Z��X��U1=O��- nq�9��M��ɋ�-��M9�1�H�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� ;�Z��X��U1=O��- nq�9��M��ɋ�-��M9�1�H�&�+�/�,�0̨̩� �� /5� w �+3&$ ��?�� 輍;�:��W�ɸ� P{��: Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.79628970082638, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "94748242bde1ec5a3b5d48e2f403230b", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\ufffd\ufffd;\ufffd\u0014Z\ufffd\ufffd\ufffd\ufffd\u0003\ufffd\bX\ufffd\ufffd\bU\u000f1=O\ufffd\ufffd\u0014\ufffd\ufffd- n\u0012q\ufffd9\ufffd\ufffd\u001bM\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\u024b\ufffd-\ufffd\ufffd\u000fM9\ufffd\u0003\u00101\ufffdH\u0013\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\ufffd\ufffd;\ufffd\u0014Z\ufffd\ufffd\ufffd\ufffd\u0003\ufffd\bX\ufffd\ufffd\bU\u000f1=O\ufffd\ufffd\u0014\ufffd\ufffd- n\u0012q\ufffd9\ufffd\ufffd\u001bM\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\u024b\ufffd-\ufffd\ufffd\u000fM9\ufffd\u0003\u00101\ufffdH\u0013\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \f\ufffd\u001e\ufffd?\ufffd\ufffd\u0003\ufffd\u000e\f\ufffd\u8f0d;\ufffd:\ufffd\ufffdW\ufffd\u0278\ufffd\tP{\ufffd\ufffd:", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\ufffd\ufffd;\ufffd\u0014Z\ufffd\ufffd\ufffd\ufffd\u0003\ufffd\bX\ufffd\ufffd\bU\u000f1=O\ufffd\ufffd\u0014\ufffd\ufffd- n\u0012q\ufffd9\ufffd\ufffd\u001bM\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\u024b\ufffd-\ufffd\ufffd\u000fM9\ufffd\u0003\u00101\ufffdH\u0013\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\ufffd\ufffd;\ufffd\u0014Z\ufffd\ufffd\ufffd\ufffd\u0003\ufffd\bX\ufffd\ufffd\bU\u000f1=O\ufffd\ufffd\u0014\ufffd\ufffd- n\u0012q\ufffd9\ufffd\ufffd\u001bM\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\u024b\ufffd-\ufffd\ufffd\u000fM9\ufffd\u0003\u00101\ufffdH\u0013\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \f\ufffd\u001e\ufffd?\ufffd\ufffd\u0003\ufffd\u000e\f\ufffd\u8f0d;\ufffd:\ufffd\ufffdW\ufffd\u0278\ufffd\tP{\ufffd\ufffd:", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\ufffd\ufffd;\ufffd\u0014Z\ufffd\ufffd\ufffd\ufffd\u0003\ufffd\bX\ufffd\ufffd\bU\u000f1=O\ufffd\ufffd\u0014\ufffd\ufffd- n\u0012q\ufffd9\ufffd\ufffd\u001bM\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\u024b\ufffd-\ufffd\ufffd\u000fM9\ufffd\u0003\u00101\ufffdH\u0013\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "10c902e4fc3a90d04289b3579b27d38b26d5dfc5", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Yn��s��PM�}�v��:O 5' ��m��{��U��H(��HЭv� &�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Yn��s��PM�}�v��:O 5' ��m��{��U��H(��HЭv� &�+�/�,�0̨̩� �� /5� w �+3&$ �ݨ��)��5�w��e�Kf��\��tb� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.893335307062548, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "7da829f1e27de7f74b667aa64aa32653", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdYn\ufffd\ufffds\ufffd\u001e\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdPM\ufffd}\ufffd\u001cv\ufffd\ufffd:O 5'\t\ufffd\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffd{\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd\u0000\ufffdH\u0010(\ufffd\ufffdH\u042dv\ufffd\n\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdYn\ufffd\ufffds\ufffd\u001e\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdPM\ufffd}\ufffd\u001cv\ufffd\ufffd:O 5'\t\ufffd\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffd{\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd\u0000\ufffdH\u0010(\ufffd\ufffdH\u042dv\ufffd\n\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u000e\u0768\ufffd\ufffd)\ufffd\u001e\ufffd\ufffd5\ufffdw\ufffd\ufffd\ufffde\ufffdKf\ufffd\ufffd\\\ufffd\u001f\ufffd\u001btb\ufffd\u0010", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdYn\ufffd\ufffds\ufffd\u001e\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdPM\ufffd}\ufffd\u001cv\ufffd\ufffd:O 5'\t\ufffd\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffd{\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd\u0000\ufffdH\u0010(\ufffd\ufffdH\u042dv\ufffd\n\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdYn\ufffd\ufffds\ufffd\u001e\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdPM\ufffd}\ufffd\u001cv\ufffd\ufffd:O 5'\t\ufffd\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffd{\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd\u0000\ufffdH\u0010(\ufffd\ufffdH\u042dv\ufffd\n\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u000e\u0768\ufffd\ufffd)\ufffd\u001e\ufffd\ufffd5\ufffdw\ufffd\ufffd\ufffde\ufffdKf\ufffd\ufffd\\\ufffd\u001f\ufffd\u001btb\ufffd\u0010", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdYn\ufffd\ufffds\ufffd\u001e\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdPM\ufffd}\ufffd\u001cv\ufffd\ufffd:O 5'\t\ufffd\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffd{\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd\u0000\ufffdH\u0010(\ufffd\ufffdH\u042dv\ufffd\n\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "511b3ae3ffe828ce66451a232a0a1aeadeee59ca", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��F�:pε�q��"BKUh��>�m�;�� 4�u�_�v�z��F��;)�F��hٲ~�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��F�:pε�q��"BKUh��>�m�;�� 4�u�_�v�z��F��;)�F��hٲ~� &�+�/�,�0̨̩� �� /5� w �+3&$ �Vr�v��1�r��_��^�\ޚRD% Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.9009733197781795, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "1a58739c92e986cf17fd66a36817b428", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffd:p\u03b5\ufffdq\ufffd\ufffd\ufffd\ufffd\"BK\u0014Uh\ufffd\ufffd\u0010\u001f\u001c>\ufffdm\ufffd;\ufffd\ufffd \ufffd\ufffd4\ufffd\u0014u\ufffd\u0006\u0019_\ufffdv\ufffdz\ufffd\ufffdF\ufffd\ufffd;)\ufffdF\ufffd\ufffdh\u0672~\ufffd\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffd:p\u03b5\ufffdq\ufffd\ufffd\ufffd\ufffd\"BK\u0014Uh\ufffd\ufffd\u0010\u001f\u001c>\ufffdm\ufffd;\ufffd\ufffd \ufffd\ufffd4\ufffd\u0014u\ufffd\u0006\u0019_\ufffdv\ufffdz\ufffd\ufffdF\ufffd\ufffd;)\ufffdF\ufffd\ufffdh\u0672~\ufffd\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdVr\ufffd\u000ev\ufffd\ufffd1\ufffdr\ufffd\ufffd\u0014\ufffd_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd\u0003\\\u079aRD%\u000e", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffd:p\u03b5\ufffdq\ufffd\ufffd\ufffd\ufffd\"BK\u0014Uh\ufffd\ufffd\u0010\u001f\u001c>\ufffdm\ufffd;\ufffd\ufffd \ufffd\ufffd4\ufffd\u0014u\ufffd\u0006\u0019_\ufffdv\ufffdz\ufffd\ufffdF\ufffd\ufffd;)\ufffdF\ufffd\ufffdh\u0672~\ufffd\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffd:p\u03b5\ufffdq\ufffd\ufffd\ufffd\ufffd\"BK\u0014Uh\ufffd\ufffd\u0010\u001f\u001c>\ufffdm\ufffd;\ufffd\ufffd \ufffd\ufffd4\ufffd\u0014u\ufffd\u0006\u0019_\ufffdv\ufffdz\ufffd\ufffdF\ufffd\ufffd;)\ufffdF\ufffd\ufffdh\u0672~\ufffd\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdVr\ufffd\u000ev\ufffd\ufffd1\ufffdr\ufffd\ufffd\u0014\ufffd_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd\u0003\\\u079aRD%\u000e", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffd:p\u03b5\ufffdq\ufffd\ufffd\ufffd\ufffd\"BK\u0014Uh\ufffd\ufffd\u0010\u001f\u001c>\ufffdm\ufffd;\ufffd\ufffd \ufffd\ufffd4\ufffd\u0014u\ufffd\u0006\u0019_\ufffdv\ufffdz\ufffd\ufffdF\ufffd\ufffd;)\ufffdF\ufffd\ufffdh\u0672~\ufffd\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "df2b7196b77887abe7cbffac49e5a21bca69364f", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��b3N��w�Z>��/\|�S�O�Ω� ��(}�G��%U��>ޱƾl-��1�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��b3N��w�Z>��/\|�S�O�Ω� ��(}�G��%U��>ޱƾ l-��1�&�+�/�,�0̨̩� �� /5� w �+3&$ aq��=��["j��N��#��\��x Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.891284156453036, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "c118b93890f1a0707989533462a4bf30", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001a\ufffdb3N\ufffd\ufffdw\ufffdZ>\u0000\ufffd\ufffd\u0002\ufffd\u0016\ufffd\/\|\u001e\ufffdS\ufffdO\ufffd\u03a9\ufffd \ufffd\ufffd(}\ufffdG\ufffd\ufffd\ufffd%U\ufffd\ufffd>\u07b1\u01be\u001d\u001f\u0015\fl-\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001a\ufffdb3N\ufffd\ufffdw\ufffdZ>\u0000\ufffd\ufffd\u0002\ufffd\u0016\ufffd\/\|\u001e\ufffdS\ufffdO\ufffd\u03a9\ufffd \ufffd\ufffd(}\ufffdG\ufffd\ufffd\ufffd%U\ufffd\ufffd>\u07b1\u01be\u001d\u001f\u0015\fl-\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0015aq\ufffd\ufffd\u0007\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd[\"j\ufffd\u000f\ufffdN\ufffd\ufffd#\ufffd\u001b\ufffd\\\ufffd\ufffd\ufffd\u001bx", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001a\ufffdb3N\ufffd\ufffdw\ufffdZ>\u0000\ufffd\ufffd\u0002\ufffd\u0016\ufffd\/\|\u001e\ufffdS\ufffdO\ufffd\u03a9\ufffd \ufffd\ufffd(}\ufffdG\ufffd\ufffd\ufffd%U\ufffd\ufffd>\u07b1\u01be\u001d\u001f\u0015\fl-\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001a\ufffdb3N\ufffd\ufffdw\ufffdZ>\u0000\ufffd\ufffd\u0002\ufffd\u0016\ufffd\/\|\u001e\ufffdS\ufffdO\ufffd\u03a9\ufffd \ufffd\ufffd(}\ufffdG\ufffd\ufffd\ufffd%U\ufffd\ufffd>\u07b1\u01be\u001d\u001f\u0015\fl-\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0015aq\ufffd\ufffd\u0007\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd[\"j\ufffd\u000f\ufffdN\ufffd\ufffd#\ufffd\u001b\ufffd\\\ufffd\ufffd\ufffd\u001bx", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001a\ufffdb3N\ufffd\ufffdw\ufffdZ>\u0000\ufffd\ufffd\u0002\ufffd\u0016\ufffd\/\|\u001e\ufffdS\ufffdO\ufffd\u03a9\ufffd \ufffd\ufffd(}\ufffdG\ufffd\ufffd\ufffd%U\ufffd\ufffd>\u07b1\u01be\u001d\u001f\u0015\fl-\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a5feed2ef3106026c5fd7efbd9e6cf84ae358e2c", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��,�5��A{f�%d�u��Q� �s��5�#��r�\��ױ��L[�]a&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��,�5��A{f�%d�u��Q� �s��5�#��r�\��ױ��L[�]a&�+�/�,�0̨̩� �� /5� w �+3&$ �]Ī��Y)z�'uZ7��~L{I Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.781270791046152, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "bb50a1ceeabc45934079a79d64349ff2", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffd5\ufffd\ufffd\ufffd\ufffd\ufffd\u001eA{f\ufffd\u0011%d\ufffdu\ufffd\u0018\ufffd\ufffd\ufffdQ\ufffd \ufffds\ufffd\ufffd5\ufffd#\ufffd\u000e\ufffd\u0002\ufffd\ufffd\ufffdr\b\ufffd\\\ufffd\ufffd\u0010\u05f1\ufffd\u000e\ufffdL\u0014[\ufffd]a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffd5\ufffd\ufffd\ufffd\ufffd\ufffd\u001eA{f\ufffd\u0011%d\ufffdu\ufffd\u0018\ufffd\ufffd\ufffdQ\ufffd \ufffds\ufffd\ufffd5\ufffd#\ufffd\u000e\ufffd\u0002\ufffd\ufffd\ufffdr\b\ufffd\\\ufffd\ufffd\u0010\u05f1\ufffd\u000e\ufffdL\u0014[\ufffd]a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd]\u012a\ufffd\ufffd\ufffd\ufffd\ufffd\u0019\u001cY)z\ufffd'uZ\u00057\u0005\ufffd\ufffd\u0018~L{\u0014\u0013I\u0004", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffd5\ufffd\ufffd\ufffd\ufffd\ufffd\u001eA{f\ufffd\u0011%d\ufffdu\ufffd\u0018\ufffd\ufffd\ufffdQ\ufffd \ufffds\ufffd\ufffd5\ufffd#\ufffd\u000e\ufffd\u0002\ufffd\ufffd\ufffdr\b\ufffd\\\ufffd\ufffd\u0010\u05f1\ufffd\u000e\ufffdL\u0014[\ufffd]a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffd5\ufffd\ufffd\ufffd\ufffd\ufffd\u001eA{f\ufffd\u0011%d\ufffdu\ufffd\u0018\ufffd\ufffd\ufffdQ\ufffd \ufffds\ufffd\ufffd5\ufffd#\ufffd\u000e\ufffd\u0002\ufffd\ufffd\ufffdr\b\ufffd\\\ufffd\ufffd\u0010\u05f1\ufffd\u000e\ufffdL\u0014[\ufffd]a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd]\u012a\ufffd\ufffd\ufffd\ufffd\ufffd\u0019\u001cY)z\ufffd'uZ\u00057\u0005\ufffd\ufffd\u0018~L{\u0014\u0013I\u0004", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffd5\ufffd\ufffd\ufffd\ufffd\ufffd\u001eA{f\ufffd\u0011%d\ufffdu\ufffd\u0018\ufffd\ufffd\ufffdQ\ufffd \ufffds\ufffd\ufffd5\ufffd#\ufffd\u000e\ufffd\u0002\ufffd\ufffd\ufffdr\b\ufffd\\\ufffd\ufffd\u0010\u05f1\ufffd\u000e\ufffdL\u0014[\ufffd]a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8028c04c5e0e1ac6fc6d9116a976d65ac53a7986", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��цl �Q��!�<�ן]��`�d4 �}i��9�nyhb��j&4�`�}%��nP�;7��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��цl �Q��!�<�ן]��`�d4 �}i��9�nyhb��j&4�`�}%��nP�;7��&�+�/�,�0̨̩� �� /5� w �+3&$ `��Mm��;�Ǘ����(hν� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.832288903440025, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "3f8e73dd935df3f7ef79219351f1aaba", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0446\u0002l \ufffdQ\ufffd\u0000\ufffd\ufffd\ufffd!\ufffd\u0010<\ufffd\u0015\u05df]\ufffd\ufffd\b\u0010`\ufffdd4 \ufffd}i\ufffd\ufffd9\ufffdnyhb\ufffd\u0012\ufffdj&4\ufffd`\ufffd}%\ufffd\ufffdnP\ufffd;7\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0446\u0002l \ufffdQ\ufffd\u0000\ufffd\ufffd\ufffd!\ufffd\u0010<\ufffd\u0015\u05df]\ufffd\ufffd\b\u0010`\ufffdd4 \ufffd}i\ufffd\ufffd9\ufffdnyhb\ufffd\u0012\ufffdj&4\ufffd`\ufffd}%\ufffd\ufffdnP\ufffd;7\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u000b`\ufffd\ufffd\ufffdMm\ufffd\ufffd\ufffd\ufffd;\ufffd\u01d7\ufffd\u001b\ufffd\u0019\u0010\ue6d3\ufffd\ufffd\u0012(h\u03bd\ufffd\u001a", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0446\u0002l \ufffdQ\ufffd\u0000\ufffd\ufffd\ufffd!\ufffd\u0010<\ufffd\u0015\u05df]\ufffd\ufffd\b\u0010`\ufffdd4 \ufffd}i\ufffd\ufffd9\ufffdnyhb\ufffd\u0012\ufffdj&4\ufffd`\ufffd}%\ufffd\ufffdnP\ufffd;7\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0446\u0002l \ufffdQ\ufffd\u0000\ufffd\ufffd\ufffd!\ufffd\u0010<\ufffd\u0015\u05df]\ufffd\ufffd\b\u0010`\ufffdd4 \ufffd}i\ufffd\ufffd9\ufffdnyhb\ufffd\u0012\ufffdj&4\ufffd`\ufffd}%\ufffd\ufffdnP\ufffd;7\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u000b`\ufffd\ufffd\ufffdMm\ufffd\ufffd\ufffd\ufffd;\ufffd\u01d7\ufffd\u001b\ufffd\u0019\u0010\ue6d3\ufffd\ufffd\u0012(h\u03bd\ufffd\u001a", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0446\u0002l \ufffdQ\ufffd\u0000\ufffd\ufffd\ufffd!\ufffd\u0010<\ufffd\u0015\u05df]\ufffd\ufffd\b\u0010`\ufffdd4 \ufffd}i\ufffd\ufffd9\ufffdnyhb\ufffd\u0012\ufffdj&4\ufffd`\ufffd}%\ufffd\ufffdnP\ufffd;7\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3b35cf19985f899ffe5787528e088638dbdfe841", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Q%s�ۘ��QMwrE�ֳ�_\|K6�a�A�T ЛKtf�Т�I�^�_�'5��G�=?�==�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Q%s�ۘ��QMwrE�ֳ�_\|K6�a�A�T ЛKtf�Т�I�^�_�'5��G�=?�==�&�+�/�,�0̨̩� �� /5� w �+3&$ E��f��6�"�0�hҊ��;���мVi� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.894298820932892, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "ba5d4caa4263e474360db26391333ed0", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q%s\ufffd\u06d8\ufffd\u0002\ufffd\u0002\ufffd\ufffd\ufffdQMwrE\ufffd\u05b3\ufffd_\|K6\ufffda\ufffdA\ufffdT \u041bK\u000ftf\u0010\ufffd\u0422\ufffdI\ufffd^\ufffd_\ufffd'5\u0001\ufffd\ufffd\ufffdG\ufffd=?\u001f\ufffd==\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q%s\ufffd\u06d8\ufffd\u0002\ufffd\u0002\ufffd\ufffd\ufffdQMwrE\ufffd\u05b3\ufffd_\|K6\ufffda\ufffdA\ufffdT \u041bK\u000ftf\u0010\ufffd\u0422\ufffdI\ufffd^\ufffd_\ufffd'5\u0001\ufffd\ufffd\ufffdG\ufffd=?\u001f\ufffd==\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 E\u0017\ufffd\b\ufffdf\u001a\ufffd\ufffd6\ufffd\"\ufffd0\ufffdh\u048a\ufffd\ufffd;\ufffd\ufffd\ufffd\u043cVi\ufffd\t", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q%s\ufffd\u06d8\ufffd\u0002\ufffd\u0002\ufffd\ufffd\ufffdQMwrE\ufffd\u05b3\ufffd_\|K6\ufffda\ufffdA\ufffdT \u041bK\u000ftf\u0010\ufffd\u0422\ufffdI\ufffd^\ufffd_\ufffd'5\u0001\ufffd\ufffd\ufffdG\ufffd=?\u001f\ufffd==\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q%s\ufffd\u06d8\ufffd\u0002\ufffd\u0002\ufffd\ufffd\ufffdQMwrE\ufffd\u05b3\ufffd_\|K6\ufffda\ufffdA\ufffdT \u041bK\u000ftf\u0010\ufffd\u0422\ufffdI\ufffd^\ufffd_\ufffd'5\u0001\ufffd\ufffd\ufffdG\ufffd=?\u001f\ufffd==\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 E\u0017\ufffd\b\ufffdf\u001a\ufffd\ufffd6\ufffd\"\ufffd0\ufffdh\u048a\ufffd\ufffd;\ufffd\ufffd*\ufffd\u043cVi\ufffd\t", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q%s\ufffd\u06d8\ufffd\u0002\ufffd\u0002\ufffd\ufffd\ufffdQMwrE\ufffd\u05b3\ufffd_\|K6\ufffda\ufffdA\ufffdT \u041bK\u000ftf\u0010\ufffd\u0422\ufffdI\ufffd^\ufffd_\ufffd'5\u0001\ufffd\ufffd\ufffdG\ufffd=?\u001f\ufffd==\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a0504f74b75643d6f8b50fc51f8e6a104c33eb84", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��ݱ>��vэ�z�9��;�~x�f�,�hi�,_� I��,�u�Xމ9mYF8� �.�Pu�-��Z&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��ݱ>��vэ�z�9��;�~x�f�,�hi�,_� I��,�u�Xމ9mYF8� �.�Pu�-��Z&�+�/�,�0̨̩� �� /5� w �+3&$ ��LQ��.�԰~��0J��"m&��#] Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8555738248529074, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "ac2ebb030527e8cbd1d5ca07aabbff59", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0771\u0016>\ufffd\ufffdv\u044d\ufffdz\ufffd9\ufffd\ufffd\ufffd;\ufffd~x\ufffdf\ufffd,\ufffdhi\ufffd,_\ufffd\u0005 \u001eI\ufffd\ufffd,\u0014\ufffdu\ufffdX\u07899m\u0013YF8\ufffd\u001b\t\ufffd.\ufffdPu\ufffd-\ufffd\ufffd\ufffdZ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0771\u0016>\ufffd\ufffdv\u044d\ufffdz\ufffd9\ufffd\ufffd\ufffd;\ufffd~x\ufffdf\ufffd,\ufffdhi\ufffd,_\ufffd\u0005 \u001eI\ufffd\ufffd,\u0014\ufffdu\ufffdX\u07899m\u0013YF8\ufffd\u001b\t\ufffd.\ufffdPu\ufffd-\ufffd\ufffd\ufffdZ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdLQ\ufffd\ufffd.\ufffd\u0530~\ufffd\ufffd\ufffd\ufffd\ufffd0J\ufffd\ufffd\ufffd\ufffd\"m&\ufffd\ufffd\ufffd\ufffd#]", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0771\u0016>\ufffd\ufffdv\u044d\ufffdz\ufffd9\ufffd\ufffd\ufffd;\ufffd~x\ufffdf\ufffd,\ufffdhi\ufffd,_\ufffd\u0005 \u001eI\ufffd\ufffd,\u0014\ufffdu\ufffdX\u07899m\u0013YF8\ufffd\u001b\t\ufffd.\ufffdPu\ufffd-\ufffd\ufffd\ufffdZ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0771\u0016>\ufffd\ufffdv\u044d\ufffdz\ufffd9\ufffd\ufffd\ufffd;\ufffd~x\ufffdf\ufffd,\ufffdhi\ufffd,_\ufffd\u0005 \u001eI\ufffd\ufffd,\u0014\ufffdu\ufffdX\u07899m\u0013YF8\ufffd\u001b\t\ufffd.\ufffdPu\ufffd-\ufffd\ufffd\ufffdZ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdLQ\ufffd\ufffd.\ufffd\u0530~\ufffd\ufffd\ufffd\ufffd\ufffd0J\ufffd\ufffd\ufffd\ufffd\"m&\ufffd\ufffd\ufffd\ufffd#]", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0771\u0016>\ufffd\ufffdv\u044d\ufffdz\ufffd9\ufffd\ufffd\ufffd;\ufffd~x\ufffdf\ufffd,\ufffdhi\ufffd,_\ufffd\u0005 \u001eI\ufffd\ufffd,\u0014\ufffdu\ufffdX\u07899m\u0013YF8\ufffd\u001b\t\ufffd.\ufffdPu\ufffd-\ufffd\ufffd\ufffdZ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "09f75f5571b1adf41df50fd663ed56856fbfc3fa", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��5��l�֥7�x��O-�j0 �#�,� ��_T �v'��b�[PI�}f��N<W܇&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��5��l�֥7�x��O-�j0 �#�,� ��_T �v'��b�[PI�}f��N<W܇&�+�/�,�0̨̩� �� /5� w �+3&$ ��5��<%�k� �W��}'B�o�d&_ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.841063653202863, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "55b60fcac16b754aa20f16bccb29499e", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035\ufffd\ufffd\ufffdl\ufffd\u05a57\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffdO-\ufffdj0\u0016\r\u0005\n\ufffd\u0013#\ufffd,\ufffd \ufffd\ufffd_T\t\ufffdv'\ufffd\ufffd\ufffd\ufffd\ufffdb\ufffd[PI\ufffd}\u0007f\ufffd\ufffd\ufffd\ufffd\ufffdN<W\u0707\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035\ufffd\ufffd\ufffdl\ufffd\u05a57\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffdO-\ufffdj0\u0016\r\u0005\n\ufffd\u0013#\ufffd,\ufffd \ufffd\ufffd_T\t\ufffdv'\ufffd\ufffd\ufffd\ufffd\ufffdb\ufffd[PI\ufffd}\u0007f\ufffd\ufffd\ufffd\ufffd\ufffdN<W\u0707\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd5\ufffd\ufffd\ufffd\ufffd<%\ufffdk\ufffd\r\u0012\ufffdW\ufffd\ufffd\ufffd\ufffd\ufffd}\u0005'B\u0019\ufffdo\ufffdd&_", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035\ufffd\ufffd\ufffdl\ufffd\u05a57\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffdO-\ufffdj0\u0016\r\u0005\n\ufffd\u0013#\ufffd,\ufffd \ufffd\ufffd_T\t\ufffdv'\ufffd\ufffd\ufffd\ufffd\ufffdb\ufffd[PI\ufffd}\u0007f\ufffd\ufffd\ufffd\ufffd\ufffdN<W\u0707\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035\ufffd\ufffd\ufffdl\ufffd\u05a57\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffdO-\ufffdj0\u0016\r\u0005\n\ufffd\u0013#\ufffd,\ufffd \ufffd\ufffd_T\t\ufffdv'\ufffd\ufffd\ufffd\ufffd\ufffdb\ufffd[PI\ufffd}\u0007f\ufffd\ufffd\ufffd\ufffd\ufffdN<W\u0707\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd5\ufffd\ufffd\ufffd\ufffd<%\ufffdk\ufffd\r\u0012\ufffdW\ufffd\ufffd\ufffd\ufffd\ufffd}\u0005'B\u0019\ufffdo\ufffdd&_", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00035\ufffd\ufffd\ufffdl\ufffd\u05a57\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffdO-\ufffdj0\u0016\r\u0005\n\ufffd\u0013#\ufffd,\ufffd \ufffd\ufffd_T\t\ufffdv'\ufffd\ufffd\ufffd\ufffd\ufffdb\ufffd[PI\ufffd}\u0007f\ufffd\ufffd\ufffd\ufffd\ufffdN<W\u0707\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4e932ff8a843b56009b174ea1cfd424f01118d9b", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��A��-�e��.��X��4�?�Dp� ��0'�k�>�4l,�\|D��{�^��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��A��-�e��.��X��4�?�Dp� ��0'�k�>�4l,�\|D��{�^�� &�+�/�,�0̨̩� �� /5� w �+3&$ k:�}�n.9 ��#<��9��+��R�>�K�� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.829373146067555, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "cbcb52862f46268a8c4de25d59fd501b", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdA\ufffd\ufffd-\ufffde\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001b.\u0014\ufffd\ufffd\ufffdX\ufffd\ufffd4\ufffd?\u0015\ufffdDp\u001f\ufffd \u0000\ufffd\ufffd\u0004\ufffd0'\ufffdk\ufffd>\ufffd4l,\ufffd\|\u0004D\ufffd\u0011\ufffd\ufffd{\ufffd^\ufffd\ufffd\u000b\u001b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdA\ufffd\ufffd-\ufffde\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001b.\u0014\ufffd\ufffd\ufffdX\ufffd\ufffd4\ufffd?\u0015\ufffdDp\u001f\ufffd \u0000\ufffd\ufffd\u0004\ufffd0'\ufffdk\ufffd>\ufffd4l,\ufffd\|\u0004D\ufffd\u0011\ufffd\ufffd{\ufffd^\ufffd\ufffd\u000b\u001b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 k:\ufffd}\ufffdn.9\u000b\ufffd\ufffd#<\ufffd\ufffd\ufffd9\ufffd\ufffd+\u0019\ufffd\ufffd\ufffdR\ufffd>\ufffdK\ufffd\ufffd\n", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdA\ufffd\ufffd-\ufffde\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001b.\u0014\ufffd\ufffd\ufffdX\ufffd\ufffd4\ufffd?\u0015\ufffdDp\u001f\ufffd \u0000\ufffd\ufffd\u0004\ufffd0'\ufffdk\ufffd>\ufffd4l,\ufffd\|\u0004D\ufffd\u0011\ufffd\ufffd{\ufffd^\ufffd\ufffd\u000b\u001b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdA\ufffd\ufffd-\ufffde\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001b.\u0014\ufffd\ufffd\ufffdX\ufffd\ufffd4\ufffd?\u0015\ufffdDp\u001f\ufffd \u0000\ufffd\ufffd\u0004\ufffd0'\ufffdk\ufffd>\ufffd4l,\ufffd\|\u0004D\ufffd\u0011\ufffd\ufffd{\ufffd^\ufffd\ufffd\u000b\u001b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 k:\ufffd}\ufffdn.9\u000b\ufffd\ufffd#<\ufffd\ufffd\ufffd9\ufffd\ufffd+\u0019\ufffd\ufffd\ufffdR\ufffd>\ufffdK\ufffd\ufffd\n", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdA\ufffd\ufffd-\ufffde\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001b.\u0014\ufffd\ufffd\ufffdX\ufffd\ufffd4\ufffd?\u0015\ufffdDp\u001f\ufffd \u0000\ufffd\ufffd\u0004\ufffd0'\ufffdk\ufffd>\ufffd4l,\ufffd\|\u0004D\ufffd\u0011\ufffd\ufffd{\ufffd^\ufffd\ufffd\u000b\u001b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b1db3f568bc2236ca1246b1d719768bd2050017e", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��ݗ��MH��Ua�K��Rc�&T�#u z��P;��Af�E�vk�D�E��R��v��9�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��ݗ��MH��Ua�K��Rc�&T�#u z��P;��Af�E�vk�D�E��R��v��9�&�+�/�,�0̨̩� �� /5� w �+3&$ \�jT^�� ,O,�)�{%��l Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8508477159423595, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "1fc3abb2e03f4dd1170f97ffc0959553", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0757\ufffd\ufffd\ufffd\ufffd\ufffdM\u0002H\ufffd\ufffdUa\ufffdK\ufffd\ufffd\ufffd\u001fRc\ufffd&T\ufffd\ue0cf#u z\ufffd\ufffdP;\ufffd\ufffdAf\u0013\ufffdE\u001e\ufffdvk\ufffd\u001aD\ufffdE\ufffd\ufffdR\ufffd\ufffdv\ufffd\ufffd9\u0011\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0757\ufffd\ufffd\ufffd\ufffd\ufffdM\u0002H\ufffd\ufffdUa\ufffdK\ufffd\ufffd\ufffd\u001fRc\ufffd&T\ufffd\ue0cf#u z\ufffd\ufffdP;\ufffd\ufffdAf\u0013\ufffdE\u001e\ufffdvk\ufffd\u001aD\ufffdE\ufffd\ufffdR\ufffd\ufffdv\ufffd\ufffd9\u0011\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \\\ufffd\u0016\u001cjT^\ufffd\ufffd\ufffd\ufffd\u0003\u0003 \ufffd\ufffd,O,\ufffd\u001d)\ufffd\u0015{%\ufffd\ufffd\ufffdl\u0013", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0757\ufffd\ufffd\ufffd\ufffd\ufffdM\u0002H\ufffd\ufffdUa\ufffdK\ufffd\ufffd\ufffd\u001fRc\ufffd&T\ufffd\ue0cf#u z\ufffd\ufffdP;\ufffd\ufffdAf\u0013\ufffdE\u001e\ufffdvk\ufffd\u001aD\ufffdE\ufffd\ufffdR\ufffd\ufffdv\ufffd\ufffd9\u0011\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0757\ufffd\ufffd\ufffd\ufffd\ufffdM\u0002H\ufffd\ufffdUa\ufffdK\ufffd\ufffd\ufffd\u001fRc\ufffd&T\ufffd\ue0cf#u z\ufffd\ufffdP;\ufffd\ufffdAf\u0013\ufffdE\u001e\ufffdvk\ufffd\u001aD\ufffdE\ufffd\ufffdR\ufffd\ufffdv\ufffd\ufffd9\u0011\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \\\ufffd\u0016\u001cjT^\ufffd\ufffd\ufffd\ufffd\u0003\u0003 \ufffd\ufffd,O,\ufffd\u001d)\ufffd\u0015{%\ufffd\ufffd\ufffdl\u0013", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0757\ufffd\ufffd\ufffd\ufffd\ufffdM\u0002H\ufffd\ufffdUa\ufffdK\ufffd\ufffd\ufffd\u001fRc\ufffd&T\ufffd\ue0cf#u z\ufffd\ufffdP;\ufffd\ufffdAf\u0013\ufffdE\u001e\ufffdvk\ufffd\u001aD\ufffdE\ufffd\ufffdR\ufffd\ufffdv\ufffd\ufffd9\u0011\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "29bdd19d0f344bb69a1f91229f891c7eb6fb5cf8", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��:+ֵI+,Τ-S�)��`IOZu�y� =�ses&e�h<U�A)�e�b3�.Ґ\ԫ�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��:+ֵI+,Τ-S�)��`I OZu�y� =�ses&e�h<U�A)�e�b3�.Ґ\ԫ�&�+�/�,�0̨̩� �� /5� w �+3&$ M�昲��N��l�.�쒶{��d�Sεd�޸78 Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8091028891345236, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "94a58515453c67f72679a1487f4433da", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003:+\u05b5\u0016I+,\u03a4\u0007-\u0019S\ufffd)\ufffd\ufffd\ufffd`I\u0018\u000b\fO\u0007Zu\u0019\ufffdy\ufffd =\u0001\ufffd\u0000ses&e\ufffdh<U\ufffdA)\ufffd\u001ce\ufffdb3\u0004\u000f\ufffd.\u0490\\\u052b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003:+\u05b5\u0016I+,\u03a4\u0007-\u0019S\ufffd)\ufffd\ufffd\ufffd`I\u0018\u000b\fO\u0007Zu\u0019\ufffdy\ufffd =\u0001\ufffd\u0000ses&e\ufffdh<U\ufffdA)\ufffd\u001ce\ufffdb3\u0004\u000f\ufffd.\u0490\\\u052b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 M\ufffd\u6632\ufffd\ufffdN\ufffd\ufffdl\ufffd.\ufffd\uc4b6{\ufffd\ufffd\ufffdd\ufffdS\u03b5d\ufffd\u07b878", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003:+\u05b5\u0016I+,\u03a4\u0007-\u0019S\ufffd)\ufffd\ufffd\ufffd`I\u0018\u000b\fO\u0007Zu\u0019\ufffdy\ufffd =\u0001\ufffd\u0000ses&e\ufffdh<U\ufffdA)\ufffd\u001ce\ufffdb3\u0004\u000f\ufffd.\u0490\\\u052b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003:+\u05b5\u0016I+,\u03a4\u0007-\u0019S\ufffd)\ufffd\ufffd\ufffd`I\u0018\u000b\fO\u0007Zu\u0019\ufffdy\ufffd =\u0001\ufffd\u0000ses&e\ufffdh<U\ufffdA)\ufffd\u001ce\ufffdb3\u0004\u000f\ufffd.\u0490\\\u052b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 M\ufffd\u6632\ufffd\ufffdN\ufffd\ufffdl\ufffd.\ufffd\uc4b6{\ufffd\ufffd\ufffdd\ufffdS\u03b5d\ufffd\u07b878", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003:+\u05b5\u0016I+,\u03a4\u0007-\u0019S\ufffd)\ufffd\ufffd\ufffd`I\u0018\u000b\fO\u0007Zu\u0019\ufffdy\ufffd =\u0001\ufffd\u0000ses&e\ufffdh<U\ufffdA)\ufffd\u001ce\ufffdb3\u0004\u000f\ufffd.\u0490\\\u052b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "22d8885aaed6d76985ce14a81842c0da7f09ea42", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��v�#^��z�]��l>=��<��5�� ;ϑ�ƭ:<�TFl��M�ɫml��휐6c�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��v�#^��z�]��l>=��<��5�� ;ϑ�ƭ:<�TFl��M�ɫml��휐6c� &�+�/�,�0̨̩� �� /5� w �+3&$ QN&�a��i��PmA�=�&:��_3Pi Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.824794905483838, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "4405c057554d442534512c8378afda61", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdv\ufffd#^\ufffd\ufffd\ufffdz\ufffd]\ufffd\ufffd\ufffd\b\u0004\ufffd\ufffd\u001cl>=\ufffd\ufffd<\ufffd\ufffd\ufffd5\ufffd\ufffd \ufffd\ufffd;\u03d1\ufffd\u01ad:<\ufffdTFl\ufffd\ufffd\ufffdM\ufffd\u026bml\ufffd\ufffd\ud7106c\ufffd\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdv\ufffd#^\ufffd\ufffd\ufffdz\ufffd]\ufffd\ufffd\ufffd\b\u0004\ufffd\ufffd\u001cl>=\ufffd\ufffd<\ufffd\ufffd\ufffd5\ufffd\ufffd \ufffd\ufffd;\u03d1\ufffd\u01ad:<\ufffdTFl\ufffd\ufffd\ufffdM\ufffd\u026bml\ufffd\ufffd\ud7106c\ufffd\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 QN\u0004&\ufffda\ufffd\u0003\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffdPmA\ufffd=\u0015\ufffd&:\ufffd\ufffd\ufffd_3\u0012Pi", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdv\ufffd#^\ufffd\ufffd\ufffdz\ufffd]\ufffd\ufffd\ufffd\b\u0004\ufffd\ufffd\u001cl>=\ufffd\ufffd<\ufffd\ufffd\ufffd5\ufffd\ufffd \ufffd\ufffd;\u03d1\ufffd\u01ad:<\ufffdTFl\ufffd\ufffd\ufffdM\ufffd\u026bml\ufffd\ufffd\ud7106c\ufffd\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdv\ufffd#^\ufffd\ufffd\ufffdz\ufffd]\ufffd\ufffd\ufffd\b\u0004\ufffd\ufffd\u001cl>=\ufffd\ufffd<\ufffd\ufffd\ufffd5\ufffd\ufffd \ufffd\ufffd;\u03d1\ufffd\u01ad:<\ufffdTFl\ufffd\ufffd\ufffdM\ufffd\u026bml\ufffd\ufffd\ud7106c\ufffd\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 QN\u0004&\ufffda\ufffd\u0003\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffdPmA\ufffd=\u0015\ufffd&:\ufffd\ufffd\ufffd_3\u0012Pi", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdv\ufffd#^\ufffd\ufffd\ufffdz\ufffd]\ufffd\ufffd\ufffd\b\u0004\ufffd\ufffd\u001cl>=\ufffd\ufffd<\ufffd\ufffd\ufffd5\ufffd\ufffd \ufffd\ufffd;\u03d1\ufffd\u01ad:<\ufffdTFl\ufffd\ufffd\ufffdM\ufffd\u026bml\ufffd\ufffd\ud7106c\ufffd\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4751f3a189ef7b7c21aaf661b4c4b62e653efaea", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��i�7_�偊�,.�Nd~�� "�I!�bjB �2��Ri��Qg��W�- M�v@�{��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��i�7_�偊�,.�Nd~�� "�I!�bjB �2��Ri��Qg��W�- M�v@�{��&�+�/�,�0̨̩� �� /5� w �+3&$ �"��m�2�?S/�[\|N��5�U/�9��<�t+ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.842304435691453, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "e47b30917a7ac44d47a972fa3bac3a9f", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufffd7\u0010_\u0005\u0013\ufffd\u504a\ufffd,.\ufffdNd~\ufffd\ufffd\ufffd\u0010\ufffd \"\ufffdI!\ufffdbjB \u0001\ufffd2\ufffd\ufffdRi\ufffd\ufffdQg\ufffd\u001c\ufffd\ufffdW\ufffd-\tM\u0003\ufffdv\u001f@\ufffd{\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufffd7\u0010_\u0005\u0013\ufffd\u504a\ufffd,.\ufffdNd~\ufffd\ufffd\ufffd\u0010\ufffd \"\ufffdI!\ufffdbjB \u0001\ufffd2\ufffd\ufffdRi\ufffd\ufffdQg\ufffd\u001c\ufffd\ufffdW\ufffd-\tM\u0003\ufffdv\u001f@\ufffd{\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\"\ufffd\ufffdm\ufffd\u00072\ufffd?S\/\ufffd[\|N\ufffd\ufffd5\ufffdU\/\ufffd9\ufffd\ufffd\ufffd<\ufffdt+\n", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufffd7\u0010_\u0005\u0013\ufffd\u504a\ufffd,.\ufffdNd~\ufffd\ufffd\ufffd\u0010\ufffd \"\ufffdI!\ufffdbjB \u0001\ufffd2\ufffd\ufffdRi\ufffd\ufffdQg\ufffd\u001c\ufffd\ufffdW\ufffd-\tM\u0003\ufffdv\u001f@\ufffd{\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufffd7\u0010_\u0005\u0013\ufffd\u504a\ufffd,.\ufffdNd~\ufffd\ufffd\ufffd\u0010\ufffd \"\ufffdI!\ufffdbjB \u0001\ufffd2\ufffd\ufffdRi\ufffd\ufffdQg\ufffd\u001c\ufffd\ufffdW\ufffd-\tM\u0003\ufffdv\u001f@\ufffd{\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\"\ufffd\ufffdm\ufffd\u00072\ufffd?S\/\ufffd[\|N\ufffd\ufffd5\ufffdU\/\ufffd9\ufffd\ufffd\ufffd<\ufffdt+\n", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufffd7\u0010_\u0005\u0013\ufffd\u504a\ufffd,.\ufffdNd~\ufffd\ufffd\ufffd\u0010\ufffd \"\ufffdI!\ufffdbjB \u0001\ufffd2\ufffd\ufffdRi\ufffd\ufffdQg\ufffd\u001c\ufffd\ufffdW\ufffd-\tM\u0003\ufffdv\u001f@\ufffd{\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c6c26f815b91dc12f1f99f112123989d99e57940", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��K��ߥS�v]cz0��i��I�6 i��sn�:�G_E32�Hs�$�>\|-� ÿ&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��K��ߥS�v]cz0��i��I�6 i��sn�:�G_E32�Hs�$�>\|-� ÿ&�+�/�,�0̨̩� �� /5� w �+3&$ i f�p��!�$��O1!��?�E�� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.863210136203374, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "e29ea188ee735803977903cf884f824f", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003K\ufffd\ufffd\ufffd\ufffd\b\ufffd\ufffd\ufffd\u07e5S\ufffdv]cz0\ufffd\ufffd\ufffdi\u0003\ufffd\u0015\ufffd\ufffd\ufffd\ufffdI\ufffd6 i\ufffd\u001f\ufffdsn\ufffd\u0010\u001c:\ufffdG_E32\u0003\ufffdH\u0007s\ufffd$\ufffd>\|-\ufffd\u001f\n\u00ff\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003K\ufffd\ufffd\ufffd\ufffd\b\ufffd\ufffd\ufffd\u07e5S\ufffdv]cz0\ufffd\ufffd\ufffdi\u0003\ufffd\u0015\ufffd\ufffd\ufffd\ufffdI\ufffd6 i\ufffd\u001f\ufffdsn\ufffd\u0010\u001c:\ufffdG_E32\u0003\ufffdH\u0007s\ufffd$\ufffd>\|-\ufffd\u001f\n\u00ff\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 i f\ufffdp\ufffd\ufffd!\ufffd$\ufffd\ufffd\ufffd\u0002\ufffdO1!\ufffd\ufffd\ufffd?\ufffdE\u001b\ufffd\u0012\ufffd\u0016\ufffd\t", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003K\ufffd\ufffd\ufffd\ufffd\b\ufffd\ufffd\ufffd\u07e5S\ufffdv]cz0\ufffd\ufffd\ufffdi\u0003\ufffd\u0015\ufffd\ufffd\ufffd\ufffdI\ufffd6 i\ufffd\u001f\ufffdsn\ufffd\u0010\u001c:\ufffdG_E32\u0003\ufffdH\u0007s\ufffd$\ufffd>\|-\ufffd\u001f\n\u00ff\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003K\ufffd\ufffd\ufffd\ufffd\b\ufffd\ufffd\ufffd\u07e5S\ufffdv]cz0\ufffd\ufffd\ufffdi\u0003\ufffd\u0015\ufffd\ufffd\ufffd\ufffdI\ufffd6 i\ufffd\u001f\ufffdsn\ufffd\u0010\u001c:\ufffdG_E32\u0003\ufffdH\u0007s\ufffd$\ufffd>\|-\ufffd\u001f\n\u00ff\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 i f\ufffdp\ufffd\ufffd!\ufffd$\ufffd\ufffd\ufffd\u0002\ufffdO1!\ufffd\ufffd\ufffd?\ufffdE\u001b\ufffd\u0012\ufffd\u0016\ufffd\t", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003K\ufffd\ufffd\ufffd\ufffd\b\ufffd\ufffd\ufffd\u07e5S\ufffdv]cz0\ufffd\ufffd\ufffdi\u0003\ufffd\u0015\ufffd\ufffd\ufffd\ufffdI\ufffd6 i\ufffd\u001f\ufffdsn\ufffd\u0010\u001c:\ufffdG_E32\u0003\ufffdH\u0007s\ufffd$\ufffd>\|-\ufffd\u001f\n\u00ff\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3ed57f4a1bd5151eb3d49cc024ed9c4c1b7d5142", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��iQȐ��jYQ��Ԡ1D�'z�̿�� =6b�E�c��8��B��F�RV��C�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��iQȐ��jYQ��Ԡ1D�'z�̿�� =6b�E�c��8��B��F�RV��C�&�+�/�,�0̨̩� �� /5� w �+3&$ ~�"o�q)';�U��!<��Q=�$�VHSei Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.80859573098955, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "f8d08a7463c4563b4ecf986bcb8c0b06", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\u001aQ\u0210\u0005\ufffd\ufffd\ufffd\ufffdjYQ\ufffd\ufffd\u0010\u05201D\ufffd'z\ufffd\u033f\ufffd\u0013\ufffd\u0000\ufffd =6b\ufffdE\u0018\ufffdc\ufffd\ufffd8\ufffd\ufffd\u0005\ufffdB\ufffd\ufffd\ufffd\u0004\ufffd\ufffdF\ufffdRV\ufffd\ufffdC\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\u001aQ\u0210\u0005\ufffd\ufffd\ufffd\ufffdjYQ\ufffd\ufffd\u0010\u05201D\ufffd'z\ufffd\u033f\ufffd\u0013\ufffd\u0000\ufffd =6b\ufffdE\u0018\ufffdc\ufffd\ufffd8\ufffd\ufffd\u0005\ufffdB\ufffd\ufffd\ufffd\u0004\ufffd\ufffdF\ufffdRV\ufffd\ufffdC\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 ~\ufffd\"o\ufffdq)';\ufffdU\ufffd\ufffd!\u0010<\ufffd\u0004\ufffd\u0014\ufffdQ=\ufffd$\ufffdVHSei\u0003", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\u001aQ\u0210\u0005\ufffd\ufffd\ufffd\ufffdjYQ\ufffd\ufffd\u0010\u05201D\ufffd'z\ufffd\u033f\ufffd\u0013\ufffd\u0000\ufffd =6b\ufffdE\u0018\ufffdc\ufffd\ufffd8\ufffd\ufffd\u0005\ufffdB\ufffd\ufffd\ufffd\u0004\ufffd\ufffdF\ufffdRV\ufffd\ufffdC\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\u001aQ\u0210\u0005\ufffd\ufffd\ufffd\ufffdjYQ\ufffd\ufffd\u0010\u05201D\ufffd'z\ufffd\u033f\ufffd\u0013\ufffd\u0000\ufffd =6b\ufffdE\u0018\ufffdc\ufffd\ufffd8\ufffd\ufffd\u0005\ufffdB\ufffd\ufffd\ufffd\u0004\ufffd\ufffdF\ufffdRV\ufffd\ufffdC\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 ~\ufffd\"o\ufffdq)';\ufffdU\ufffd\ufffd!\u0010<\ufffd\u0004\ufffd\u0014\ufffdQ=\ufffd$\ufffdVHSei\u0003", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\u001aQ\u0210\u0005\ufffd\ufffd\ufffd\ufffdjYQ\ufffd\ufffd\u0010\u05201D\ufffd'z\ufffd\u033f\ufffd\u0013\ufffd\u0000\ufffd *=6b\ufffdE\u0018\ufffdc\ufffd\ufffd8\ufffd\ufffd\u0005\ufffdB\ufffd\ufffd\ufffd\u0004\ufffd\ufffdF\ufffdRV\ufffd\ufffdC\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "592d6b5cd93fdef3de6bfdc937e2a15cf65c11b8", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��{�Dds�.Ɣ}ռ� �J��"E�!Qv�#�� ~+Q�u��G�f��}��y�?vC�� l&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��{�Dds�.Ɣ}ռ� �J��"E�!Qv�#�� ~+Q�u��G�f��}��y�?vC�� l&�+�/�,�0̨̩� �� /5� w �+3&$ #�A�Ӽ�+��Bѯ�19=�y9�,S��+� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.887696485954859, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "c0f86ea1bc1e2768d1c58cd4bdc7d46a", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\ufffdDds\ufffd.\u0194}\u057c\ufffd\t\u0018\ufffdJ\ufffd\ufffd\ufffd\ufffd\"E\ufffd!Qv\ufffd#\ufffd\ufffd\ufffd \ufffd~+Q\ufffdu\ufffd\ufffdG\ufffdf\u0019\ufffd\ufffd}\u0017\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffd?vC\ufffd\ufffd\ufffd\n\ufffdl\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\ufffdDds\ufffd.\u0194}\u057c\ufffd\t\u0018\ufffdJ\ufffd\ufffd\ufffd\ufffd\"E\ufffd!Qv\ufffd#\ufffd\ufffd\ufffd \ufffd~+Q\ufffdu\ufffd\ufffdG\ufffdf\u0019\ufffd\ufffd}\u0017\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffd?vC\ufffd\ufffd\ufffd\n\ufffdl\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 #\ufffdA\ufffd\u04fc\ufffd+\ufffd\ufffdB\u046f\ufffd19=\ufffd\u001ay\u0014\u001e9\ufffd,\u0010S\ufffd\ufffd+\ufffd\u0002", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\ufffdDds\ufffd.\u0194}\u057c\ufffd\t\u0018\ufffdJ\ufffd\ufffd\ufffd\ufffd\"E\ufffd!Qv\ufffd#\ufffd\ufffd\ufffd \ufffd~+Q\ufffdu\ufffd\ufffdG\ufffdf\u0019\ufffd\ufffd}\u0017\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffd?vC\ufffd\ufffd\ufffd\n\ufffdl\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\ufffdDds\ufffd.\u0194}\u057c\ufffd\t\u0018\ufffdJ\ufffd\ufffd\ufffd\ufffd\"E\ufffd!Qv\ufffd#\ufffd\ufffd\ufffd \ufffd~+Q\ufffdu\ufffd\ufffdG\ufffdf\u0019\ufffd\ufffd}\u0017\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffd?vC\ufffd\ufffd\ufffd\n\ufffdl\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 #\ufffdA\ufffd\u04fc\ufffd+\ufffd\ufffdB\u046f\ufffd19=\ufffd\u001ay\u0014\u001e9\ufffd,\u0010S\ufffd\ufffd+\ufffd\u0002", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\ufffdDds\ufffd.\u0194}\u057c\ufffd\t\u0018\ufffdJ\ufffd\ufffd\ufffd\ufffd\"E\ufffd!Qv\ufffd#\ufffd\ufffd\ufffd \ufffd~+Q\ufffdu\ufffd\ufffdG\ufffdf\u0019\ufffd\ufffd}\u0017\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffd?vC\ufffd\ufffd\ufffd\n\ufffdl\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e622ed53fd53434c384b29881a4b47947e0a4480", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��A8C>��{=�V�Xʄ��}rP��[ EX�� ju��)��`c`��W�1��%\|�x�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��A8C>��{=�V�Xʄ��}rP��[ EX�� ju��)��`c`��W�1��%\|�x�&�+�/�,�0̨̩� �� /5� w �+3&$ ��]ʘ.��q�sh8��/+�M��#�� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.849875027384577, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "ac953b3297edc509bd11ef8076b0bec9", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A8C>\ufffd\ufffd{=\ufffdV\ufffdX\u0284\ufffd\u000f\ufffd}rP\ufffd\ufffd[\tEX\ufffd\u0016\ufffd\ufffd\ufffd\ufffd ju\u0004\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\u001e`c\u001b`\ufffd\ufffd\u000e\u0003W\ufffd1\u001c\ufffd\ufffd\ufffd%\|\ufffdx\u0012\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A8C>\ufffd\ufffd{=\ufffdV\ufffdX\u0284\ufffd\u000f\ufffd}rP\ufffd\ufffd[\tEX\ufffd\u0016\ufffd\ufffd\ufffd\ufffd ju\u0004\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\u001e`c\u001b`\ufffd\ufffd\u000e\u0003W\ufffd1\u001c\ufffd\ufffd\ufffd%\|\ufffdx\u0012\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\u0005\ufffd]\u0298.\ufffd\ufffd\u000fq\ufffdsh8\ufffd\ufffd\/+\ufffdM\ufffd\ufffd#\ufffd\ufffd\u0003\ufffd\u000e", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A8C>\ufffd\ufffd{=\ufffdV\ufffdX\u0284\ufffd\u000f\ufffd}rP\ufffd\ufffd[\tEX\ufffd\u0016\ufffd\ufffd\ufffd\ufffd ju\u0004\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\u001e`c\u001b`\ufffd\ufffd\u000e\u0003W\ufffd1\u001c\ufffd\ufffd\ufffd%\|\ufffdx\u0012\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A8C>\ufffd\ufffd{=\ufffdV\ufffdX\u0284\ufffd\u000f\ufffd}rP\ufffd\ufffd[\tEX\ufffd\u0016\ufffd\ufffd\ufffd\ufffd ju\u0004\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\u001e`c\u001b`\ufffd\ufffd\u000e\u0003W\ufffd1\u001c\ufffd\ufffd\ufffd%\|\ufffdx\u0012\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\u0005\ufffd]\u0298.\ufffd\ufffd\u000fq\ufffdsh8\ufffd\ufffd\/+\ufffdM\ufffd\ufffd#\ufffd\ufffd\u0003\ufffd\u000e", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A8C>\ufffd\ufffd{=\ufffdV\ufffdX\u0284\ufffd\u000f\ufffd}rP\ufffd\ufffd[\tEX\ufffd\u0016\ufffd\ufffd\ufffd\ufffd ju\u0004\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\u001e`c\u001b`\ufffd\ufffd\u000e\u0003W\ufffd1\u001c\ufffd\ufffd\ufffd%\|\ufffdx\u0012\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3117ef445a1a17b498b68fa060bcc6bc6cef1559", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��4��Av�x��w��~dî�� B0��@}��u%_(K��f&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��4�� Av�x��w��~dî�� B0��@}��u%_(K��f&�+�/�,�0̨̩� �� /5� w �+3&$ _Ge;�K��U��.]��ġW�+ �:�$M Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.869585278640107, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "99a8fcef701264795beeebb3a20561f4", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4\ufffd\ufffd\ufffd\ufffd\u000b\u001eA\u0012v\ufffdx\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffd\u000f\ufffd~d\u000f\u00ee\ufffd\ufffd\u000f \u0000\ufffd\ufffdB0\ufffd\u001d\ufffd@}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu%\u0019_(K\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdf\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4\ufffd\ufffd\ufffd\ufffd\u000b\u001eA\u0012v\ufffdx\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffd\u000f\ufffd~d\u000f\u00ee\ufffd\ufffd\u000f \u0000\ufffd\ufffdB0\ufffd\u001d\ufffd@}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu%\u0019_(K\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdf\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 _Ge;\ufffdK\ufffd\ufffd\u0017U\u0001\ufffd\ufffd.]\ufffd\ufffd\ufffd\ufffd\u0121W\ufffd+\u000b\ufffd\u0018:\ufffd$M", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4\ufffd\ufffd\ufffd\ufffd\u000b\u001eA\u0012v\ufffdx\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffd\u000f\ufffd~d\u000f\u00ee\ufffd\ufffd\u000f \u0000\ufffd\ufffdB0\ufffd\u001d\ufffd@}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu%\u0019_(K\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdf\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4\ufffd\ufffd\ufffd\ufffd\u000b\u001eA\u0012v\ufffdx\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffd\u000f\ufffd~d\u000f\u00ee\ufffd\ufffd\u000f \u0000\ufffd\ufffdB0\ufffd\u001d\ufffd@}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu%\u0019_(K\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdf\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 _Ge;\ufffdK\ufffd\ufffd\u0017U\u0001\ufffd\ufffd.*]\ufffd\ufffd\ufffd\ufffd\u0121W\ufffd+\u000b\ufffd\u0018:\ufffd$M", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4\ufffd\ufffd\ufffd\ufffd\u000b\u001eA\u0012v\ufffdx\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffd\u000f\ufffd~d\u000f\u00ee\ufffd\ufffd\u000f \u0000\ufffd\ufffdB0\ufffd\u001d\ufffd@}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu%\u0019_(K\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdf\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d7f23b305501ea120f07ae58ec367fd3551a9e3", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �� R%'��M�p��$�$�C��`Rn�� ic[�ǩ��yd�ݎ"�Iȑ�U��Ӯ��g&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� R%'��M�p��$�$�C��`Rn�� ic[�ǩ��yd�ݎ"�Iȑ�U��Ӯ��g&�+�/�,�0̨̩� �� /5� w �+3&$ VC�H�V`��e��N��ƭ^x��eAt Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.82969481584656, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "9571b8d9d205bf358acfa15bd1100354", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\tR%'\ufffd\ufffd\ufffdM\ufffdp\ufffd\ufffd\ufffd$\ufffd$\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`Rn\ufffd\ufffd\ufffd\ufffd i\u0018c[\ufffd\u01e9\ufffd\ufffdyd\ufffd\u074e\"\ufffdI\u0211\ufffdU\ufffd\ufffd\u0005\u04ee\ufffd\ufffd\ufffd\ufffd\u0003g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\tR%'\ufffd\ufffd\ufffdM\ufffdp\ufffd\ufffd\ufffd$\ufffd$\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`Rn\ufffd\ufffd\ufffd\ufffd i\u0018c[\ufffd\u01e9\ufffd\ufffdyd\ufffd\u074e\"\ufffdI\u0211\ufffdU\ufffd\ufffd\u0005\u04ee\ufffd\ufffd\ufffd\ufffd\u0003g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0002VC\ufffdH\ufffdV`\ufffd\u000e\ufffd\ufffd\ufffde\ufffd\ufffdN\ufffd\ufffd\ufffd\u01ad^x\ufffd\ufffd\ufffd\ufffd\ufffdeAt", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\tR%'\ufffd\ufffd\ufffdM\ufffdp\ufffd\ufffd\ufffd$\ufffd$\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`Rn\ufffd\ufffd\ufffd\ufffd i\u0018c[\ufffd\u01e9\ufffd\ufffdyd\ufffd\u074e\"\ufffdI\u0211\ufffdU\ufffd\ufffd\u0005\u04ee\ufffd\ufffd\ufffd\ufffd\u0003g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\tR%'\ufffd\ufffd\ufffdM\ufffdp\ufffd\ufffd\ufffd$\ufffd$\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`Rn\ufffd\ufffd\ufffd\ufffd i\u0018c[\ufffd\u01e9\ufffd\ufffdyd\ufffd\u074e\"\ufffdI\u0211\ufffdU\ufffd\ufffd\u0005\u04ee\ufffd\ufffd\ufffd\ufffd\u0003g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0002VC\ufffdH\ufffdV`\ufffd\u000e\ufffd\ufffd\ufffde\ufffd\ufffdN\ufffd\ufffd\ufffd\u01ad^x\ufffd\ufffd\ufffd\ufffd\ufffdeAt", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\tR%'\ufffd\ufffd\ufffdM\ufffdp\ufffd\ufffd\ufffd$\ufffd$\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`Rn\ufffd\ufffd\ufffd\ufffd i\u0018c[\ufffd\u01e9\ufffd\ufffdyd\ufffd\u074e\"\ufffdI\u0211\ufffdU\ufffd\ufffd\u0005\u04ee\ufffd\ufffd\ufffd\ufffd\u0003g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "224972bf61859e6aa03988f4609000b94b643767", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 23:22:46 UTC	TCP	82	tls	Sonde PostgreSQL	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��L�dSdc5͉;a�Rj�N� n0u��^{ ؼ\|�c��y�2n�܁u��6��!&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��L�dSdc5͉;a�Rj�N � n0u��^{ ؼ\|�c��y�2n�܁u� ��6��!&�+�/�,�0̨̩� �� /5� w �+3&$ �@N��<�� GC��P�p.��Y��z4�e Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.878277117925689, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 82, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2bc30fe8a9509e231e6d686be81ea57ede3fec2b", "event_fingerprint": "9d8c2a54cdce32b4e5d0b35fab1afe3f4922a353", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "b9941d797bf49cb1d57ca5e76a9d0c61", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 82, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdL\ufffddSdc5\u0349;a\ufffd\u001bRj\ufffdN\f\ufffd\u0001\tn\u0004\u001f0u\ufffd\ufffd^\u0005{ \u000e\u063c\|\ufffdc\ufffd\ufffd\ufffd\ufffdy\ufffd2n\ufffd\u0701u\ufffd\u0001\u000b\ufffd\ufffd6\u0014\ufffd\ufffd\ufffd\ufffd\ufffd!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdL\ufffddSdc5\u0349;a\ufffd\u001bRj\ufffdN\f\ufffd\u0001\tn\u0004\u001f0u\ufffd\ufffd^\u0005{ \u000e\u063c\|\ufffdc\ufffd\ufffd\ufffd\ufffdy\ufffd2n\ufffd\u0701u\ufffd\u0001\u000b\ufffd\ufffd6\u0014\ufffd\ufffd\ufffd\ufffd\ufffd!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd@N\ufffd\u000e\ufffd\ufffd<\ufffd\ufffd\r\u0017GC\ufffd\ufffdP\ufffdp.\ufffd\ufffd\ufffdY\ufffd\ufffd\ufffdz4\ufffde", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdL\ufffddSdc5\u0349;a\ufffd\u001bRj\ufffdN\f\ufffd\u0001\tn\u0004\u001f0u\ufffd\ufffd^\u0005{ \u000e\u063c\|\ufffdc\ufffd\ufffd\ufffd\ufffdy\ufffd2n\ufffd\u0701u\ufffd\u0001\u000b\ufffd\ufffd6\u0014\ufffd\ufffd\ufffd\ufffd\ufffd!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdL\ufffddSdc5\u0349;a\ufffd\u001bRj\ufffdN\f\ufffd\u0001\tn\u0004\u001f0u\ufffd\ufffd^\u0005{ \u000e\u063c\|\ufffdc\ufffd\ufffd\ufffd\ufffdy\ufffd2n\ufffd\u0701u\ufffd\u0001\u000b\ufffd\ufffd6\u0014\ufffd\ufffd\ufffd\ufffd\ufffd!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd@N\ufffd\u000e\ufffd\ufffd<\ufffd\ufffd\r\u0017GC\ufffd\ufffdP\ufffdp.\ufffd\ufffd\ufffdY\ufffd\ufffd\ufffdz4\ufffde", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdL\ufffddSdc5\u0349;a\ufffd\u001bRj\ufffdN\f\ufffd\u0001\tn\u0004\u001f0u\ufffd\ufffd^\u0005{ \u000e\u063c\|\ufffdc\ufffd\ufffd\ufffd\ufffdy\ufffd2n\ufffd\u0701u\ufffd\u0001\u000b\ufffd\ufffd6\u0014\ufffd\ufffd\ufffd\ufffd\ufffd!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b1728dc7616b994b38b5080da6f2bfbba6c8aa86", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }

8.230.14.61

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence