Renseignement sur les menaces

Corée du Sud

8.230.25.99

FAI Google LLC Première vue 15/06/2026 13:22 UTC Dernière vue 15/06/2026 13:23 UTC Risque Élevé

Période analysée : 2026-06-11 → 2026-06-18

Activité suspecte — risque 63/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 83/100 Élevé

Première observation 15/06/2026 13:22 UTC

Dernière observation 15/06/2026 13:23 UTC

Événements (période) 846

MITRE ATT&CK principal TA0007 428 occurrences

Activité suspecte — risque 63/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 84 · Bonus corrélation +8 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 8.230.0.0/19 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 846 événements sur la période pour cette IP.

162.216.150.22 Scanner web 18/06/2026 14:20 UTC
162.216.149.222 Scan vulnérabilités 18/06/2026 14:19 UTC
35.203.211.70 Scanner web 18/06/2026 14:19 UTC
162.216.150.234 Scanner web 18/06/2026 14:19 UTC
147.185.133.153 Scanner web 18/06/2026 14:19 UTC
162.216.150.55 Sonde port 18/06/2026 14:18 UTC
35.203.210.97 Scanner web 18/06/2026 14:18 UTC
35.203.210.53 Scanner web 18/06/2026 14:18 UTC

Événements (filtres)

846

Première observation

15/06/2026 13:22 UTC

Dernière observation

15/06/2026 13:23 UTC

Dernière activité (filtres)

15/06/2026 13:23 UTC

Événements 7j

846

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

WEBMIN TCP 427 HTTP TCP 419

WEBMIN

427

HTTP

419

Géolocalisation

Origine réseau déclarée

Corée du Sud unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 10000 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTP:10000 · (tentative d'exploit) · → /app/sendgrid.py

Détails protocole

Méthode: GET
Chemin: /app/sendgrid.py
User-Agent: Mozilla/5.0 (Linux; Android 9; LM-V405) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111…

Aperçu payload

GET /app/sendgrid.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; LM-V405) AppleWebKit/537.36 (K

Port / service

10000 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 3 tag(s) WAF

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499 Upstream Waf Score

Confiance

100% Corrélation +8

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

846 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

846 événement(s) — page 1/17

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:10000 · (tentative d'exploit) · → /.htaccess	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.htaccess UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.htaccess TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /.htaccess Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Apache htaccess Ligne de requête `GET /.htaccess HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.htaccess HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /.htaccess HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "htaccess", "http_ua_hash": "2b98b4a110bfad5cf6fac30f510c4af8cfc617d0", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "3450b1e7f2decdc58edd085ce04b19bc7f5d6fac", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.357631692336812, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "fe0bfdeae60d9a6fd010cb0c90bfa4cb47954389", "event_fingerprint": "21f9ae79b33191af45d5e4dc8e578be211dcb894", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0107" ], "matched_pattern_names": [ "LFI Apache htaccess" ], "pattern_ids": [ "pat-0107" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "015e075b42fd9c97293b62af91170e9f", "payload_hash": "9560bd62449b9c82aae962d79fb4c400", "path_pattern_hash": "4c27678faebafe822ea78c9ea1cb1efa" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "method": "GET", "path": "\/.htaccess", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.htaccess HTTP\/1.1", "request_sample": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "method": "GET", "path": "\/.htaccess", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.htaccess HTTP\/1.1", "request_sample": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ca661c2e6e0006602baf5bd953e7fb0b6d755ebb", "protocol_details": { "http_method": "GET", "http_path": "\/.htaccess", "request_line": "GET \/.htaccess HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "attack_vector": "config file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.htaccess", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.htaccess", "request_line": "GET \/.htaccess HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.htaccess", "evidence_snippet": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /sendgrid.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.yml UA Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, like Ge… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /sendgrid.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.yml HTTP/1.1` User-Agent Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.yml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, like Gec Requête brute (extrait) GET /sendgrid.yml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "778636b0bf3f5e2a33bd110df1323712560e7d4f", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "fe30445de825aa0bffca483abd821a9f6a87533d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.375228795847875, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "cd7943618c13c02c87a224fb787cd0d178d1e588", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d0699fe8b6fd28afc7919004320e6175", "payload_hash": "478e6b001357f3525dbb1e7335e68bf8", "path_pattern_hash": "7777bc3cc4ee53dc76c001dce4e79fd5" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gec", "method": "GET", "path": "\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gec", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2a93df6aaac00e50df06588442056e6da351eff9", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yml", "request_line": "GET \/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gec", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yml", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yml", "request_line": "GET \/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yml", "evidence_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gec", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /config/sendgrid.yml	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.yml UA Mozilla/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /config/sendgrid.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.yml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebK Requête brute (extrait) GET /config/sendgrid.yml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connectio Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "aafc9c24701a2406e835625180be116a92757f2c", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "0bd9f817e7997b41e7d0b8b8dd114ee25267d094", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 268, "payload_entropy": 5.416304504298137, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "8398e3f448f94bfe166d1a0716f446af2e83154b", "event_fingerprint": "8ccbd1c61a86c985b8111febd99b9c73247bb212", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6b75aa9d29f220e9bce8089cb60461c5", "payload_hash": "923f45dcba9a513eb968f78493ddc09f", "path_pattern_hash": "b33a5d11f328bd7713feb258f3d7e0c0" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebK", "method": "GET", "path": "\/config\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebK", "evidence": { "method": "GET", "path": "\/config\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f31ddf09d137bf8bc23e783dbf18e3e28df1c26a", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.yml", "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safa\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebK", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.yml", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.yml", "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safa\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.yml", "evidence_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebK", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /mailer/sendgrid.php	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /mailer/sendgrid.php UA Mozilla/5.0 (Linux; Android 9; PH-1) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /mailer/sendgrid.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /mailer/sendgrid.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mailer/sendgrid.php HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; PH-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mailer/sendgrid.php HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; PH-1) AppleWebKit/537.36 ( Requête brute (extrait) GET /mailer/sendgrid.php HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; PH-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "6383d57b72cd2e226c297a4d17132164a10944c1", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "dae727d8f431c63a4890b644ed3bde6b8b286d4f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.38063687875966, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f31661a442174841a23ce769bd20c24cdad800e6", "event_fingerprint": "565d9f9a8350b16df649411c0b82e8fd62dd2222", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6dd90fdc6e31cb7cc3fd41d7e7cb6773", "payload_hash": "5bd7609cfe6a57096a1bc8d52f889bcc", "path_pattern_hash": "efcedb7b18ae8ea8d96de301e7bc027e" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (", "method": "GET", "path": "\/mailer\/sendgrid.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/mailer\/sendgrid.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "50a1931f03fc6fe3973b59534246f0bc8516ed1b", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.php", "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.php", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.php", "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.php", "evidence_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /config/sendgrid.php	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.php UA MOT-V177/0.1.75 UP.Browser/6.2.3.9.c.12 (GUI) MMP/2.0 UP.Link/6… Émulateur HTTP WAF 12 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 http_probe_config net_flood Cible HTTP GET /config/sendgrid.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /config/sendgrid.php Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.php HTTP/1.1` User-Agent MOT-V177/0.1.75 UP.Browser/6.2.3.9.c.12 (GUI) MMP/2.0 UP.Link/6.3.1.13.0 Règles WAF nosqli-3 Payload (extrait) GET /config/sendgrid.php HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: MOT-V177/0.1.75 UP.Browser/6.2.3.9.c.12 (GUI) MMP/2.0 UP. Requête brute (extrait) GET /config/sendgrid.php HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: MOT-V177/0.1.75 UP.Browser/6.2.3.9.c.12 (GUI) MMP/2.0 UP.Link/6.3.1.13.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "05e757b68691863e94ea0703ccd7b3413032d8c3", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "5a7c4db4e49228f435e7f3ef670fd7a77af86fbd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 212, "payload_entropy": 5.233289005047779, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 56, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "13f8dc3d1e65979942b2a6daa7616ac12ee5a418", "event_fingerprint": "d95a31c6a8c4513c12bb669166b4c3d0c4aab892", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c9ff599ca62b67bbf6bb43e5a81aefae", "payload_hash": "fb926628921013a6694d738de0005e1d", "path_pattern_hash": "c0ea70e9176b91c1342a31c50481c975" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: MOT-V177\/0.1.75 UP.Browser\/6.2.3.9.c.12 (GUI) MMP\/2.0 UP.", "method": "GET", "path": "\/config\/sendgrid.php", "user_agent": "MOT-V177\/0.1.75 UP.Browser\/6.2.3.9.c.12 (GUI) MMP\/2.0 UP.Link\/6.3.1.13.0", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: MOT-V177\/0.1.75 UP.Browser\/6.2.3.9.c.12 (GUI) MMP\/2.0 UP.Link\/6.3.1.13.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: MOT-V177\/0.1.75 UP.Browser\/6.2.3.9.c.12 (GUI) MMP\/2.0 UP.", "evidence": { "method": "GET", "path": "\/config\/sendgrid.php", "user_agent": "MOT-V177\/0.1.75 UP.Browser\/6.2.3.9.c.12 (GUI) MMP\/2.0 UP.Link\/6.3.1.13.0", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: MOT-V177\/0.1.75 UP.Browser\/6.2.3.9.c.12 (GUI) MMP\/2.0 UP.Link\/6.3.1.13.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: MOT-V177\/0.1.75 UP.Browser\/6.2.3.9.c.12 (GUI) MMP\/2.0 UP.", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea72554cd776e5e01dfbcca9c3fa660c23f721d8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.php", "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "http_user_agent": "MOT-V177\/0.1.75 UP.Browser\/6.2.3.9.c.12 (GUI) MMP\/2.0 UP.Link\/6.3.1.13.0", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: MOT-V177\/0.1.75 UP.Browser\/6.2.3.9.c.12 (GUI) MMP\/2.0 UP.", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.php", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.php", "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "http_user_agent": "MOT-V177\/0.1.75 UP.Browser\/6.2.3.9.c.12 (GUI) MMP\/2.0 UP.Link\/6.3.1.13.0", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.php", "evidence_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: MOT-V177\/0.1.75 UP.Browser\/6.2.3.9.c.12 (GUI) MMP\/2.0 UP.", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /sendgrid.yaml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.yaml UA Mozilla/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKi… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /sendgrid.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKi Requête brute (extrait) GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "e23a3034c7f4b27b852b015a2ef8ad939893d753", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "6ddb9259a81c5943f174c8762a08f320950440bd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.384172155355011, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "90358c46d6c79d43c8e96d85bf276f3e4a4b2a71", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bb04918531888fa47be5e7b2ef0880b6", "payload_hash": "3477c30eba29523c79b708a5e9b4ae7f", "path_pattern_hash": "586d42da805584afffe4b06de4328fe7" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKi", "method": "GET", "path": "\/sendgrid.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "request_sample": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKi", "evidence": { "method": "GET", "path": "\/sendgrid.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "request_sample": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1248f107534b4e26177837d46a3f494d3ffa466d", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yaml", "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKi", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yaml", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yaml", "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yaml", "evidence_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKi", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /sendgrid.php	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.php UA Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Bu… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /sendgrid.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.php HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.php HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Bui Requête brute (extrait) GET /sendgrid.php HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Accept-Charset: utf-8 Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "d7524cb8f6bca20d6e635bf54e6b08baad462745", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "aeebeac9e1ed0166b8b2a8b12207a52ac16be70d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 284, "payload_entropy": 5.376266539902904, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "f94c6eedaf7f4e4eba74b7b019f93ec3f57d20ee", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1a12f49730945b9c394ae9871edf3a4f", "payload_hash": "82aa9bb4f786477537abb1beb4e7bd23", "path_pattern_hash": "1c628b1c6b42ab40202a01c40f9a976e" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Bui", "method": "GET", "path": "\/sendgrid.php", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.php HTTP\/1.1", "request_sample": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "payload_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Bui", "evidence": { "method": "GET", "path": "\/sendgrid.php", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.php HTTP\/1.1", "request_sample": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "payload_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Bui", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4fba329d3198766191ad979635286b295c4c6222", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.php", "request_line": "GET \/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Vers\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Bui", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.php", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.php", "request_line": "GET \/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Vers\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.php", "evidence_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Bui", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /config/sendgrid.json	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.json UA Opera/7.51 (Windows NT 5.1; U) [en] Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 http_probe_config net_flood Cible HTTP GET /config/sendgrid.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /config/sendgrid.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.json HTTP/1.1` User-Agent Opera/7.51 (Windows NT 5.1; U) [en] Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.json HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Opera/7.51 (Windows NT 5.1; U) [en] Accept-Charset: utf Requête brute (extrait) GET /config/sendgrid.json HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Opera/7.51 (Windows NT 5.1; U) [en] Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "15d076f5d5012f5c648eda87ddf67503dd356260", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "6c93d1b9fbdf8e8d128caa00a09f6faf39a40791", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 176, "payload_entropy": 5.182936533563388, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f80bdf6bffe961f463019e37123478b8a1124aea", "event_fingerprint": "0f37804187d9ecec2d33a5b6765812bef61e64ef", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7f2162663102c514973e470d9fe75d23", "payload_hash": "1b4bb68f8f12e81c4563e2afadde6c6d", "path_pattern_hash": "b3c041376e66dccb94b76d7207504df9" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf", "method": "GET", "path": "\/config\/sendgrid.json", "user_agent": "Opera\/7.51 (Windows NT 5.1; U) [en]", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf", "evidence": { "method": "GET", "path": "\/config\/sendgrid.json", "user_agent": "Opera\/7.51 (Windows NT 5.1; U) [en]", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "30a75bc7ae6b4db8e9aea5549aeb2df4b3da3f20", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.json", "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "http_user_agent": "Opera\/7.51 (Windows NT 5.1; U) [en]", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.json", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.json", "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "http_user_agent": "Opera\/7.51 (Windows NT 5.1; U) [en]", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.json", "evidence_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /email/sendgrid.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /email/sendgrid.py UA Mozilla/5.0 (Linux; U; Android 1.5; en-us; sdk Build/CUPCAKE) A… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /email/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /email/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /email/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 1.5; en-us; sdk Build/CUPCAKE) AppleWebkit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /email/sendgrid.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-us; sdk Build/CUPCAK Requête brute (extrait) GET /email/sendgrid.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-us; sdk Build/CUPCAKE) AppleWebkit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Accept-Charset: utf-8 Accept-Encoding: gzip Co Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "ab48b72c0a6eee0aa9986264dd514c99cad2fbd5", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "190af723c99988769325445339d91d711879f378", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 275, "payload_entropy": 5.356532128386636, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f31661a442174841a23ce769bd20c24cdad800e6", "event_fingerprint": "1b7c114eff4eae6aad2651d0ebbbeb90ef945c12", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8e63a6d9611cab20c06527104cc8dbd2", "payload_hash": "1bbb879d1640ef30afcf5e7414254295", "path_pattern_hash": "aa093fa1b6f985e5ed81b711d71d6186" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAK", "method": "GET", "path": "\/email\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) AppleWebkit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/email\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) AppleWebkit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAK", "evidence": { "method": "GET", "path": "\/email\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) AppleWebkit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/email\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) AppleWebkit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e37dc99c650d0457c80b232ee84d7da7f19347e1", "protocol_details": { "http_method": "GET", "http_path": "\/email\/sendgrid.py", "request_line": "GET \/email\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) AppleWebkit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobi\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAK", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/email\/sendgrid.py", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/email\/sendgrid.py", "request_line": "GET \/email\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) AppleWebkit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobi\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/email\/sendgrid.py", "evidence_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAK", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /config/sendgrid.py	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.py UA Mozilla/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit/537.36 (… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /config/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.18 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit/537 Requête brute (extrait) GET /config/sendgrid.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.18 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "138be3cba11203174b5b31911e1a05a35f035f3a", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "c39a8449a6e4f2889aa8a56e74d7dff99a1b9759", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.398143493084268, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "8398e3f448f94bfe166d1a0716f446af2e83154b", "event_fingerprint": "5729355bca12bb023e34e2bf6e40b24c72665ead", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e4aae174e2be385424703b741b519268", "payload_hash": "0b30d1597070504f9080f3e00f530b5b", "path_pattern_hash": "9abcee9f2bf7633ad04f7c379dbcfd85" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit\/537", "method": "GET", "path": "\/config\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.18 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.18 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/config\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.18 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.18 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "64c183c528847c21aa9c70b408bc18567e3f0455", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.py", "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.18 Mobile Safari\/537\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.py", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.py", "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.18 Mobile Safari\/537\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.py", "evidence_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 2 XL) AppleWebKit\/537", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /mail/sendgrid.py	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /mail/sendgrid.py UA Mozilla/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit/537.36 (… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_mail Cible HTTP GET /mail/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /mail/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mail/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mail/sendgrid.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit/537.3 Requête brute (extrait) GET /mail/sendgrid.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "5ed68237131e8293718cc92ed67105fb1c29ab36", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "4e4e30676a1660aa4bddd155759e5f2063e42ebb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.4640563690571655, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "23214ea810256c9037d03b2c8443abdcc32920e7", "event_fingerprint": "7260bafc57d98b0755ca9c791cc895677e21efd3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "25da6c4881fc704002863e1996f6db1d", "payload_hash": "e059521a42a76916c47612eb83afabc0", "path_pattern_hash": "b5e77b51819ded84d893a1ced6a06cf4" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.3", "method": "GET", "path": "\/mail\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mail\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/mail\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mail\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cc0ee44e814fdd4ffa08050d53594a89d4635cb4", "protocol_details": { "http_method": "GET", "http_path": "\/mail\/sendgrid.py", "request_line": "GET \/mail\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/53\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mail\/sendgrid.py", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/mail\/sendgrid.py", "request_line": "GET \/mail\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/53\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mail\/sendgrid.py", "evidence_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.3", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_mail", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /backend/sendgrid.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /backend/sendgrid.py UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /backend/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /backend/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backend/sendgrid.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK Requête brute (extrait) GET /backend/sendgrid.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "45c636e77901b96c70f360cae011d912a8e2e92e", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "9b3b3fd51ae018208ce4d96cbad2187f4475e746", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.41475003025746, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f31661a442174841a23ce769bd20c24cdad800e6", "event_fingerprint": "2e372881593689d5fd6cb53de82c92474d09bcf4", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f9bd990875663102878e16cd2ce3aafa", "payload_hash": "f912341962c323bddf92037971321162", "path_pattern_hash": "ecf29d1ed95b1fd215637cce0a9e7303" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK", "method": "GET", "path": "\/backend\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.84 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.84 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK", "evidence": { "method": "GET", "path": "\/backend\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.84 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.84 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0a7d8ed7d423edcc7f6d8d12d2e360810a7b4b4c", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.py", "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.84 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.py", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.py", "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.84 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.py", "evidence_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /sendgrid-config.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid-config.json UA Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/2003051… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid-config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /sendgrid-config.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid-config.json HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Firebird/0.6 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/ Requête brute (extrait) GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Firebird/0.6 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "ca9b5cbe2fa1dd4d9da41a80a7aae0baf25a5590", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "7d5ebcf94187fd12c4375ea09c6c54bd408b8303", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 226, "payload_entropy": 5.328489248188521, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "60218892cd933589eb867e363269e91c0e70e3e2", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3f397ad907ad1a110e5b37327be373a1", "payload_hash": "5398c13260b6ef6d4fe65e12ba4aacb0", "path_pattern_hash": "170a7f6ff312a524729718105c471f02" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/", "method": "GET", "path": "\/sendgrid-config.json", "user_agent": "Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "request_sample": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/", "evidence": { "method": "GET", "path": "\/sendgrid-config.json", "user_agent": "Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "request_sample": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ad56d82e4e7f3aa14d1ecd6954d3ae1b3d90c2ae", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.json", "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.json", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.json", "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.json", "evidence_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /sendgrid.config.json	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.config.json UA Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Émulateur HTTP WAF 7 Recommandation Investiguer Tags 950326:rce-0 http_metasploit_ua net_flood Cible HTTP GET /sendgrid.config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /sendgrid.config.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.config.json HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Règles WAF rce-0 Payload (extrait) GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Acce Requête brute (extrait) GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "96e1db10c74ac5f8e9c335efe735320e22b5dbee", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "eeb189e33107611f717db38a6842e4ac40f53918", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.240324474203909, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 36, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.9, "risk_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 67, "tag_count": 3, "anomaly_count": 0, "campaign_key": "25639ef5d60905a8e09f4525ef4718b42555a191", "event_fingerprint": "16ac37aa90c4397c02966c4683dd70eabcc63c77", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dd31faa4256f873e33967d39c189a795", "payload_hash": "6fa0c5ef8f5ec75a32314dbc3d6cd8b1", "path_pattern_hash": "d03aef47d2b763bc56a13f3ba838e778" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nAcce", "method": "GET", "path": "\/sendgrid.config.json", "user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)", "waf_tags": [ "950326:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "request_sample": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nAcce", "evidence": { "method": "GET", "path": "\/sendgrid.config.json", "user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)", "waf_tags": [ "950326:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "request_sample": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nAcce", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "304f204156b9f2f9e6259155ba39b0337c356f38", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.json", "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nAcce", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.json", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.json", "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.json", "evidence_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nAcce", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 36 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "http_metasploit_ua", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /mailer/sendgrid.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /mailer/sendgrid.py UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /mailer/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /mailer/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mailer/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mailer/sendgrid.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi Requête brute (extrait) GET /mailer/sendgrid.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "8723b30d3854c76ad41328e7480ebc55e0664fae", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "9b85ba3fc4ac4a1549d12be2ecef5722bb151f3a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.409612268312993, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f31661a442174841a23ce769bd20c24cdad800e6", "event_fingerprint": "3df8ff108fb8390745da97d6ec8b4abec1f483f6", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "341374392238ec58c0ddba04622adfe1", "payload_hash": "8629a03d8c13c7038e145e282116e1c2", "path_pattern_hash": "8c4b21a7860b8f6d464d0085eb236a5b" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "method": "GET", "path": "\/mailer\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "evidence": { "method": "GET", "path": "\/mailer\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "389af62e4c301de9a4871edd7a77d3894c46b0e6", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.py", "request_line": "GET \/mailer\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.py", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.py", "request_line": "GET \/mailer\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.py", "evidence_snippet": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /sendgrid.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.json UA Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUA… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /sendgrid.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mo… Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.json HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUA Requête brute (extrait) GET /sendgrid.json HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "a0d4576af53f87cdc2baaa057d0330388196a422", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "334746630c59d3caca795d70405b3b173f74a90b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 440, "payload_entropy": 5.5067711285764664, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "06348426c84f7eb2463f3f163da5cb8476cde25e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e4eece6ef0a41f0fb3516b5bbe27e9f6", "payload_hash": "d69267262214fb0e4e8ff6535c9d02d4", "path_pattern_hash": "e6f5fbc298134f1524aeaece47705fce" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build\/HUA", "method": "GET", "path": "\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build\/HUAWEIEML-AL00) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 baidu.sogo.uc.UCBrowser\/11.9.4.974 UWS\/2.13.1.48 Mobile Safari\/537.36 AliApp(DingTalk\/4.5.11) com.alibaba.a\u2026", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.json HTTP\/1.1", "request_sample": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build\/HUAWEIEML-AL00) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 baidu.sogo.uc.UCBrowser\/11.9.4.974 UWS\/2.13", "payload_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build\/HUA", "evidence": { "method": "GET", "path": "\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build\/HUAWEIEML-AL00) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 baidu.sogo.uc.UCBrowser\/11.9.4.974 UWS\/2.13.1.48 Mobile Safari\/537.36 AliApp(DingTalk\/4.5.11) com.alibaba.a\u2026", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.json HTTP\/1.1", "request_sample": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build\/HUAWEIEML-AL00) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 baidu.sogo.uc.UCBrowser\/11.9.4.974 UWS\/2.13", "payload_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build\/HUA", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8d58dc3069b13955075a07bd487b54d72a0db5b1", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.json", "request_line": "GET \/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build\/HUAWEIEML-AL00) AppleWebKit\/537.36 (KHTML, like Gecko) Vers\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build\/HUA", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.json", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.json", "request_line": "GET \/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build\/HUAWEIEML-AL00) AppleWebKit\/537.36 (KHTML, like Gecko) Vers\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.json", "evidence_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build\/HUA", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /app/sendgrid.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/sendgrid.py UA Mozilla/5.0 (Linux; Android 9; LM-V405) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /app/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; LM-V405) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/sendgrid.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; LM-V405) AppleWebKit/537.36 (K Requête brute (extrait) GET /app/sendgrid.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; LM-V405) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "fc9781c975d92c72d7fbdb574659c43840811169", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "a743b8206ca823c369ef5eb8bfeb21a48b56cf7e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.420242219705408, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f31661a442174841a23ce769bd20c24cdad800e6", "event_fingerprint": "60fd3a1bd59ce0a14527d23f549b42eb4d974c4a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b1203e067229de427efedba4a41e9c2d", "payload_hash": "27e3c2cb73c4edb77984a308eceecadb", "path_pattern_hash": "bbc1021582141e8e631079ccf6c69d4d" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/app\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/app\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9096a0eca3a7bc12d83b13eae366f6a58058a3a0", "protocol_details": { "http_method": "GET", "http_path": "\/app\/sendgrid.py", "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (K", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/sendgrid.py", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/sendgrid.py", "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/sendgrid.py", "evidence_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (K", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:10000 · (tentative d'exploit) · → /.htpasswd	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.htpasswd UA Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950522:leak-9 http_sensitive_path Cible HTTP GET /.htpasswd TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /.htpasswd Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Apache htpasswd LFI Apache htpasswd Ligne de requête `GET /.htpasswd HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-9 Payload (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "htpasswd", "http_ua_hash": "b3d22f895da9c2c4215ef423052260fc316ffda8", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "ade2de8d21551efb00f221b43821b4acb26b6f79", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.434845133174474, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "04d2f3f4bd5843791ae3cb5a50ca518d092bb0d5", "event_fingerprint": "1816ac5f346317e9507aa05ae2a1f690a179ba72", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0469", "pat-0108" ], "matched_pattern_names": [ "Cred Apache htpasswd", "LFI Apache htpasswd" ], "pattern_ids": [ "pat-0469", "pat-0108" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d20b07ded14e724ade48f5e902451797", "payload_hash": "c9e543aa31bf14d640a830a7b5fb62d3", "path_pattern_hash": "229c0a4c773f5f9eeec1d298c58088ee" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/.htpasswd", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-9" ], "request_line": "GET \/.htpasswd HTTP\/1.1", "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/.htpasswd", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-9" ], "request_line": "GET \/.htpasswd HTTP\/1.1", "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "54b32dff3a98318a88f573867e93dd2640d03067", "protocol_details": { "http_method": "GET", "http_path": "\/.htpasswd", "request_line": "GET \/.htpasswd HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML,", "attack_vector": "config file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.htpasswd", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.htpasswd", "request_line": "GET \/.htpasswd HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.htpasswd", "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML,", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /server.log	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server.log UA Mozilla/5.0 (Linux; Android 9; GM1913) AppleWebKit/537.36 (KHTM… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /server.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /server.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; GM1913) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server.log HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; GM1913) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /server.log HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; GM1913) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "52afa0c63fa89c52914758be7103e16b482e18dc", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "437770240dcc724c5033b3c158c576b84dde4de1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.379776905484, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9e37d4111d1878360966dc1ff6478ffc87852224", "event_fingerprint": "546c068a6c657c539d8033e9788bab8ead070092", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8a3e3eee7a039c5e5f6a9978df88c13d", "payload_hash": "c0691cbe8911abd945d4c24c93502d1e", "path_pattern_hash": "1bb66c038c973622f0056a763496f9ef" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1913) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/server.log", "user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1913) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.log HTTP\/1.1", "request_sample": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1913) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1913) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/server.log", "user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1913) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.log HTTP\/1.1", "request_sample": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1913) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1913) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2dd0d6223db1f2167acd698a1aa6d8d485fc7ff4", "protocol_details": { "http_method": "GET", "http_path": "\/server.log", "request_line": "GET \/server.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1913) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1913) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.log", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server.log", "request_line": "GET \/server.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1913) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.log", "evidence_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1913) AppleWebKit\/537.36 (KHTML,", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /log/debug.log	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /log/debug.log UA Mozilla/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit/537.36 (… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_log Cible HTTP GET /log/debug.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /log/debug.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Debug log disclosure Ligne de requête `GET /log/debug.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /log/debug.log HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit/537.36 ( Requête brute (extrait) GET /log/debug.log HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "5ed68237131e8293718cc92ed67105fb1c29ab36", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "3fb5b472f52b8bcac2f6138463cf27ff65b8c633", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.447762582303941, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "9d291850c303987c9a4f025f63a755a70598b0b5", "event_fingerprint": "12238a3b930e880d3e0b65381db9a130c9dde29c", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0110" ], "matched_pattern_names": [ "LFI Debug log disclosure" ], "pattern_ids": [ "pat-0110" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "25da6c4881fc704002863e1996f6db1d", "payload_hash": "a1ad53e6d47f9e336dc4bbc9ce1f1942", "path_pattern_hash": "0a13815894d10bbcd047ea689c56dc08" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (", "method": "GET", "path": "\/log\/debug.log", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/log\/debug.log HTTP\/1.1", "request_sample": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/log\/debug.log", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/log\/debug.log HTTP\/1.1", "request_sample": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1457742bbf4e9cbb35816912a2e4d2f47f3a2587", "protocol_details": { "http_method": "GET", "http_path": "\/log\/debug.log", "request_line": "GET \/log\/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/53\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/log\/debug.log", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/log\/debug.log", "request_line": "GET \/log\/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/53\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/log\/debug.log", "evidence_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_log", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:12 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /app.log	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app.log UA Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120502 Firefox/1… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /app.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /app.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.log HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120502 Firefox/12.0 SeaMonkey/2.9.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.log HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120502 Firefox/12.0 Se Requête brute (extrait) GET /app.log HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120502 Firefox/12.0 SeaMonkey/2.9.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "329b57f0c63ff8aaabab5a13dd83c43ae717d24a", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "bd1d5b79d00a082701f913befabe9ce3bb41a839", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.270525940782522, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9e37d4111d1878360966dc1ff6478ffc87852224", "event_fingerprint": "0e9f5adac461f4f1e6e3285e258dd93a51240066", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e1bbf2fdbf5a204510f8f30f34e5c41d", "payload_hash": "9ec2f223d7125d36c13abb64a80ac76b", "path_pattern_hash": "705676047b0602f87a6c259c895bc0e9" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 Se", "method": "GET", "path": "\/app.log", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 SeaMonkey\/2.9.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.log HTTP\/1.1", "request_sample": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 SeaMonkey\/2.9.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 Se", "evidence": { "method": "GET", "path": "\/app.log", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 SeaMonkey\/2.9.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.log HTTP\/1.1", "request_sample": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 SeaMonkey\/2.9.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 Se", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f2e8edb7a35fe423436fa9a229cd966902ca97f4", "protocol_details": { "http_method": "GET", "http_path": "\/app.log", "request_line": "GET \/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 SeaMonkey\/2.9.1", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 Se", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.log", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app.log", "request_line": "GET \/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 SeaMonkey\/2.9.1", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.log", "evidence_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 Se", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /.circleci/config.yml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.circleci/config.yml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.circleci/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /.circleci/config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.circleci/config.yml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.54 Safari/535.2 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.circleci/config.yml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebK Requête brute (extrait) GET /.circleci/config.yml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.54 Safari/535.2 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "5599cfe9241d316704f49b82a0b96b3ec32c66dd", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "42ed80c065555149f59c15145f7ae964b6a99b5e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.3756273661025915, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c034d68eb34652fd700761bcc845283ee8373360", "event_fingerprint": "d435c13506a6a5afad9bcd3f30b426446b996214", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0fe32aaedb84498aada93e310897da64", "payload_hash": "ea71792564987250e88d77d185bb4439", "path_pattern_hash": "b893b0eec412648d41158b9ec6bd21e4" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebK", "method": "GET", "path": "\/.circleci\/config.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.2 (KHTML, like Gecko) Chrome\/15.0.874.54 Safari\/535.2", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.circleci\/config.yml HTTP\/1.1", "request_sample": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.2 (KHTML, like Gecko) Chrome\/15.0.874.54 Safari\/535.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebK", "evidence": { "method": "GET", "path": "\/.circleci\/config.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.2 (KHTML, like Gecko) Chrome\/15.0.874.54 Safari\/535.2", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.circleci\/config.yml HTTP\/1.1", "request_sample": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.2 (KHTML, like Gecko) Chrome\/15.0.874.54 Safari\/535.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4842739e78a1da17133a5e2bffb046678d914315", "protocol_details": { "http_method": "GET", "http_path": "\/.circleci\/config.yml", "request_line": "GET \/.circleci\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.2 (KHTML, like Gecko) Chrome\/15.0.874.54 Safari\/535.2", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebK", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.circleci\/config.yml", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.circleci\/config.yml", "request_line": "GET \/.circleci\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.2 (KHTML, like Gecko) Chrome\/15.0.874.54 Safari\/535.2", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.circleci\/config.yml", "evidence_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebK", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /nginx.config	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /nginx.config UA Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit/53… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /nginx.config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /nginx.config Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /nginx.config HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /nginx.config HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit/537 Requête brute (extrait) GET /nginx.config HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "config", "http_ua_hash": "50fa0e84739a53ff2ca339a8b3f9d6e15da14af9", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "e275586080f0f32618bdbe0c80334164416e3043", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.372511744132625, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "d603dddbe892e063d16e93187d1c969ecea7f6cb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dba530ae9f5fa9a0b9739d7895f5e92b", "payload_hash": "bc6af647ad6cb02665a420055a8b1456", "path_pattern_hash": "80871f7e109ea9867fd6173c2b32059b" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537", "method": "GET", "path": "\/nginx.config", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.config HTTP\/1.1", "request_sample": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/nginx.config", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.config HTTP\/1.1", "request_sample": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b99e4ddb9c72fdf59a81fae3e27f641b748c72c6", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.config", "request_line": "GET \/nginx.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Saf\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.config", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.config", "request_line": "GET \/nginx.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Saf\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.config", "evidence_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /azure-pipelines.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /azure-pipelines.yml UA Mozilla/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /azure-pipelines.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /azure-pipelines.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /azure-pipelines.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.0 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /azure-pipelines.yml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit/537.3 Requête brute (extrait) GET /azure-pipelines.yml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.0 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "59bd5080c1726a44d96fa2337b071552e0cbe07a", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "8bacf7ba189e1d49695131e01ec30c1752198ab0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.386505646358545, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "fafbb697f3a57f8150672786938e3cc4f2482946", "event_fingerprint": "27cba8bc7120dac626c3311f2303e07331e4b5f4", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "34e229c3616db30ade3972ff9ee2ef0f", "payload_hash": "3cbe20edaecc043b898b0dbabd982f20", "path_pattern_hash": "d76578f2ff8c409283f48927713c6e3e" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.3", "method": "GET", "path": "\/azure-pipelines.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "request_sample": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/azure-pipelines.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "request_sample": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "71c1dfa35973bd35031e8cd680cb97c84d953f22", "protocol_details": { "http_method": "GET", "http_path": "\/azure-pipelines.yml", "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Mobile Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/azure-pipelines.yml", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/azure-pipelines.yml", "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Mobile Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/azure-pipelines.yml", "evidence_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.3", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:10000 · (tentative d'exploit) · → /nginx.conf	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /nginx.conf UA Mozilla/5.0 (Linux; Android 9; MHA-AL00 Build/HUAWEIMHA-AL00; w… Émulateur HTTP WAF 20 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950470:nosqli-3 http_sensitive_path Cible HTTP GET /nginx.conf TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /nginx.conf Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « sqli-21 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /nginx.conf HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; MHA-AL00 Build/HUAWEIMHA-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.99 Mobile Safari/537.36 MMWEBID/9772 MicroMessenger/7.0.6.1460(0x… Règles WAF sqli-21 rce-0 nosqli-3 Payload (extrait) GET /nginx.conf HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; MHA-AL00 Build/HUAWEIMHA-AL00; wv) Requête brute (extrait) GET /nginx.conf HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; MHA-AL00 Build/HUAWEIMHA-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.99 Mobile Safari/537.36 MMWEBID/9772 MicroMessenger/7.0.6.14 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "conf", "http_ua_hash": "382082862504cc1df3e537e83c0e227b9efa1d31", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "845c3b2b5656c277525928bf4edf7c41919ad7fa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 381, "payload_entropy": 5.546432016468326, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 88, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1350fd57b4108d38112a6fe3641660386a96452d", "event_fingerprint": "3de4a0c3ead415c7fdcaeaf57d353cd39004f211", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9ab8a72c6c440df7560e9bf2f63a0869", "payload_hash": "565b35f608b8a8fb48b705e177fb390e", "path_pattern_hash": "80f5fa98cca489e2cf5aa551565e088f" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) ", "method": "GET", "path": "\/nginx.conf", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.99 Mobile Safari\/537.36 MMWEBID\/9772 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.conf HTTP\/1.1", "request_sample": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.99 Mobile Safari\/537.36 MMWEBID\/9772 MicroMessenger\/7.0.6.14", "payload_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv)", "evidence": { "method": "GET", "path": "\/nginx.conf", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.99 Mobile Safari\/537.36 MMWEBID\/9772 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.conf HTTP\/1.1", "request_sample": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.99 Mobile Safari\/537.36 MMWEBID\/9772 MicroMessenger\/7.0.6.14", "payload_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv)", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "da3aa208be138ef16777baf9b74001c053298634", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.conf", "request_line": "GET \/nginx.conf HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Ch\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv)", "attack_vector": "config file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.conf", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.conf", "request_line": "GET \/nginx.conf HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Ch\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.conf", "evidence_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MHA-AL00 Build\/HUAWEIMHA-AL00; wv)", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /Jenkinsfile	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /Jenkinsfile UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /Jenkinsfile TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /Jenkinsfile Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /Jenkinsfile HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /Jenkinsfile HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /Jenkinsfile HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "6f8fd29f5931df3fd2350fd515db27457749ee44", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "6196821c9b59b6ceb2d7ccd4d35e939ea59e7ed4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.388951835277331, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a6ebcd166c055bdf2cf4d7dfc27ed175bb294543", "event_fingerprint": "166cf2c75444a225913750a72686997d368624f1", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0941434fd1d5cbbf67cab1335b902271", "payload_hash": "8615a44d4eb4491736566da131db0294", "path_pattern_hash": "0d4eaf992f1a72b02518b7d952191a55" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e45c24d9f7d2a283eb5897456bf35eb215534e63", "protocol_details": { "http_method": "GET", "http_path": "\/Jenkinsfile", "request_line": "GET \/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/Jenkinsfile", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/Jenkinsfile", "request_line": "GET \/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/Jenkinsfile", "evidence_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /.github/workflows/ci.yml	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/ci.yml UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.github/workflows/ci.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /.github/workflows/ci.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.github/workflows/ci.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.github/workflows/ci.yml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 ( Requête brute (extrait) GET /.github/workflows/ci.yml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "c93a0d9de37db86bbb3bca1bfab1bf8ad027f349", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "3ec364769fb4698cfcca7031daf28214f8708060", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.473123288191415, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "190ad512db0f92600a28a13d6ac93f3e95d0ade1", "event_fingerprint": "b617154723ddcef510ee8902d5cb7a17ebe5f0a7", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3983f747cee3631077733ea0cf6bbe95", "payload_hash": "1b3f993e0d21d6f5fabcb8f5da1b06a1", "path_pattern_hash": "0bac82c8c4461b7e2eb48cd6eaefa7e9" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (", "method": "GET", "path": "\/.github\/workflows\/ci.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/ci.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/.github\/workflows\/ci.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/ci.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "75cdd1880a7adf53e3b9f92d4d48d2d5152910e7", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/ci.yml", "request_line": "GET \/.github\/workflows\/ci.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/ci.yml", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/ci.yml", "request_line": "GET \/.github\/workflows\/ci.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/ci.yml", "evidence_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:10000 · (tentative d'exploit) · → /web.config	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /web.config UA Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/2003051… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /web.config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /web.config Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI IIS web.config Ligne de requête `GET /web.config HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Firebird/0.6 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 M Requête brute (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Firebird/0.6 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "config", "http_ua_hash": "ca9b5cbe2fa1dd4d9da41a80a7aae0baf25a5590", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "fb61e36fe9095535f127e3353d957f1c1310e8e9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 216, "payload_entropy": 5.340973338299792, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "fe0bfdeae60d9a6fd010cb0c90bfa4cb47954389", "event_fingerprint": "2cfc8a9d8927ed1b38b7efe05aaccac18e313c6b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0120" ], "matched_pattern_names": [ "LFI IIS web.config" ], "pattern_ids": [ "pat-0120" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3f397ad907ad1a110e5b37327be373a1", "payload_hash": "bd9ced0c6cbfa4bd32da78cde3b94cfb", "path_pattern_hash": "0913647d7e838cdd727ceda37a671f37" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 M", "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 M", "evidence": { "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 M", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3abb3fa1f709133da008c7b936c3e7d16af6d103", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 M", "attack_vector": "config file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 M", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:10000 · (tentative d'exploit) · → /.gitconfig	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.gitconfig UA Mozilla/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit/537.36… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.gitconfig TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /.gitconfig Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.gitconfig HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.gitconfig HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit/537.36 (K Requête brute (extrait) GET /.gitconfig HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "gitconfig", "http_ua_hash": "20c42de66ba741197640c8c5b022c33185ef1f03", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "4552edeb48a162af2c0944497328c6fed5ef02ec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.414000819804221, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "fe0bfdeae60d9a6fd010cb0c90bfa4cb47954389", "event_fingerprint": "a5ee3ca0f82dcebda39f899205645a0409ffa847", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ddd85faaf0c58275f78deb2227b75a80", "payload_hash": "36244b90e18c12ad1c8847752b36a196", "path_pattern_hash": "15182e65e3e4c28fd6667d0a76628de0" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/.gitconfig", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.gitconfig HTTP\/1.1", "request_sample": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/.gitconfig", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.gitconfig HTTP\/1.1", "request_sample": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit\/537.36 (K", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6fb3e20898009e64589b58a10c09c852c5fa8c54", "protocol_details": { "http_method": "GET", "http_path": "\/.gitconfig", "request_line": "GET \/.gitconfig HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit\/537.36 (K", "attack_vector": "config file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitconfig", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.gitconfig", "request_line": "GET \/.gitconfig HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitconfig", "evidence_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-I9190) AppleWebKit\/537.36 (K", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /server.xml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server.xml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /server.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /server.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Tomcat server.xml Ligne de requête `GET /server.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 OPR/62.0.3331.88 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server.xml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /server.xml HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 OPR/62.0.3331.88 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "254c67403c3f47d62a2cb4f9b7c7d4f75283f3e9", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "524717bd951511cea8642b855a654b176416ff2d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.422716831258449, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "4109af606cef5bfc024a904d2d97ae060749eb35", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0133" ], "matched_pattern_names": [ "LFI Tomcat server.xml" ], "pattern_ids": [ "pat-0133" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c817b66162d8bb0b95e307a370aa3e20", "payload_hash": "5f733e72d9831f07301ccc95ad98360f", "path_pattern_hash": "d4d89f4ec79feb80a890ebb7bb0f42f9" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/server.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.88", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.xml HTTP\/1.1", "request_sample": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.88\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/server.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.88", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.xml HTTP\/1.1", "request_sample": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.88\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e52277d64f337ecea5b8f9aca0d4f14c138bc963", "protocol_details": { "http_method": "GET", "http_path": "\/server.xml", "request_line": "GET \/server.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.xml", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server.xml", "request_line": "GET \/server.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.xml", "evidence_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:10000 · (tentative d'exploit) · → /id_rsa	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /id_rsa UA Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleW… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /id_rsa TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /id_rsa Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-credential-file pat-0495 Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred SSH private key id_rsa Ligne de requête `GET /id_rsa HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D100 Safari/604.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /id_rsa HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit/6 Requête brute (extrait) GET /id_rsa HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D100 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d718e91c69fe9a7668045f940cfbbcad19d57512", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "e7082bf89fb3315806e7ae6952f0a88884c69468", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.35045633836381, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f9c8fea5e486d9ff804585c45c7ca216fb691014", "event_fingerprint": "1bdc442a73cbdea2a924d0715468aefbfdef60fc", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 225, "precision_signals": [ "SIGMA-web-credential-file", "pat-0495", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-credential-file", "pat-0495", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0495" ], "matched_pattern_names": [ "Cred SSH private key id_rsa" ], "pattern_ids": [ "pat-0495" ], "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6146ae6af886fef0cc77da517fab88c6", "payload_hash": "1572df18087bb34ff81ab83fafd7b43f", "path_pattern_hash": "7db94f5d7ea5ac98ea13d8c61becd367" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit\/6", "method": "GET", "path": "\/id_rsa", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D100 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/id_rsa HTTP\/1.1", "request_sample": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D100 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit\/6", "evidence": { "method": "GET", "path": "\/id_rsa", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D100 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/id_rsa HTTP\/1.1", "request_sample": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D100 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit\/6", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3b64ea4897e5c074805e218916df090430159b65", "protocol_details": { "http_method": "GET", "http_path": "\/id_rsa", "request_line": "GET \/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit\/6", "attack_vector": "credential file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/id_rsa", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-credential-file", "pat-0495", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-credential-file", "pat-0495", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/id_rsa", "request_line": "GET \/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/id_rsa", "evidence_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit\/6", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /.npmrc	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.npmrc UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.npmrc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /.npmrc Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred NPM credentials Ligne de requête `GET /.npmrc HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.npmrc HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Requête brute (extrait) GET /.npmrc HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "npmrc", "http_ua_hash": "3ccd4eed62472b12534dd91a4e4a3b0ab7d03350", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "e47e720fc12387d6362d15cf56ef7f004f4a216f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 232, "payload_entropy": 5.4388371196049095, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "c9dab14c3ac8237dd35f0418b87e326b784f4d7f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0481" ], "matched_pattern_names": [ "Cred NPM credentials" ], "pattern_ids": [ "pat-0481" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e0380f369210706b00a6b0e3ede6f7d9", "payload_hash": "5aa4960e35beb1c48eb0cb38353abb49", "path_pattern_hash": "7643d037b83b1eb932659ed1ccb7e4fe" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "method": "GET", "path": "\/.npmrc", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.npmrc HTTP\/1.1", "request_sample": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "evidence": { "method": "GET", "path": "\/.npmrc", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.npmrc HTTP\/1.1", "request_sample": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0e5ffa97b4c816b335046f6bcd4dce9cbe51c27e", "protocol_details": { "http_method": "GET", "http_path": "\/.npmrc", "request_line": "GET \/.npmrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.npmrc", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.npmrc", "request_line": "GET \/.npmrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.npmrc", "evidence_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:10000 · (tentative d'exploit) · → /.ssh/authorized_keys	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.ssh/authorized_keys UA Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.ssh/authorized_keys TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /.ssh/authorized_keys Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-credential-file pat-0489 Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred SSH authorized_keys Ligne de requête `GET /.ssh/authorized_keys HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.ssh/authorized_keys HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Requête brute (extrait) GET /.ssh/authorized_keys HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ssh\/authorized_keys", "http_ua_hash": "9c6f4d33e593acd554149a1d6c4e7312d797bc2c", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "a25aaf7c350e380b4697c5b640d5d962e0f1dd91", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.38437963146867, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "d703878e02ce0e6de33f977642e6dc3a6fe1a339", "event_fingerprint": "a5962474febe03d629d576056ad0b8b2f32ae652", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 225, "precision_signals": [ "SIGMA-web-credential-file", "pat-0489", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-credential-file", "pat-0489", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0489" ], "matched_pattern_names": [ "Cred SSH authorized_keys" ], "pattern_ids": [ "pat-0489" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7cd5846c1fb73cfba66259c27b4ab701", "payload_hash": "c8b4f79b7bb9a4876ef5ce120c11f31b", "path_pattern_hash": "7cedd4ba646691da0a133647f6b04acc" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8)", "method": "GET", "path": "\/.ssh\/authorized_keys", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko\/20100722 Firefox\/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/authorized_keys HTTP\/1.1", "request_sample": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko\/20100722 Firefox\/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8)", "evidence": { "method": "GET", "path": "\/.ssh\/authorized_keys", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko\/20100722 Firefox\/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/authorized_keys HTTP\/1.1", "request_sample": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko\/20100722 Firefox\/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8)", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a95725aec9a0fc7343c6e414b30a6b7081e38d01", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/authorized_keys", "request_line": "GET \/.ssh\/authorized_keys HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko\/20100722 Firefox\/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8)", "attack_vector": "credential file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/authorized_keys", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-credential-file", "pat-0489", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-credential-file", "pat-0489", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/authorized_keys", "request_line": "GET \/.ssh\/authorized_keys HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko\/20100722 Firefox\/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/authorized_keys", "evidence_snippet": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8)", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /private_key.pem	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /private_key.pem UA Mozilla/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML/4.8.4 (… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /private_key.pem TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /private_key.pem Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private_key.pem HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML/4.8.4 (like Gecko) Konqueror/4.8 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private_key.pem HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML/4.8.4 Requête brute (extrait) GET /private_key.pem HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML/4.8.4 (like Gecko) Konqueror/4.8 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "pem", "http_ua_hash": "1142aace171bdc96dab7feede9d4ef7bf73b6f94", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "0f51bc792d6f938bb82ea19d1935c3464eb59ea8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 224, "payload_entropy": 5.374796131840825, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f9c8fea5e486d9ff804585c45c7ca216fb691014", "event_fingerprint": "29e3f0b931cb877a6092ac3da11a40e1e33e409b", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "16fa4c68e54b2d26a3caf99a15f514fb", "payload_hash": "96889bfb36d4eb7b8bac61022745bcc0", "path_pattern_hash": "fb2942fad108fb946e981f9671efa9dc" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4", "method": "GET", "path": "\/private_key.pem", "user_agent": "Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private_key.pem HTTP\/1.1", "request_sample": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4", "evidence": { "method": "GET", "path": "\/private_key.pem", "user_agent": "Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private_key.pem HTTP\/1.1", "request_sample": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "23f43243ab02229f0c2c862bf4907d7252e94e42", "protocol_details": { "http_method": "GET", "http_path": "\/private_key.pem", "request_line": "GET \/private_key.pem HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private_key.pem", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private_key.pem", "request_line": "GET \/private_key.pem HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private_key.pem", "evidence_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /sendgrid.config.js	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.config.js UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.config.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /sendgrid.config.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.config.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.config.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (K Requête brute (extrait) GET /sendgrid.config.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "bc015ca793896994b398da81b73ea6411505c24f", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "97c6c01ed1cd44a1cf5c9909b699de08c7716b13", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.378758645513495, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "6de057714e07cd477a7bad2ccbd43a4bd8e4638e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e6eb4f21da426bcec45322842c03b78a", "payload_hash": "1b84f60eaafbeb61f03007384cc80981", "path_pattern_hash": "032717fdb137d07613be2acfbba19b69" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/sendgrid.config.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.config.js HTTP\/1.1", "request_sample": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/sendgrid.config.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.config.js HTTP\/1.1", "request_sample": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "be6a86df365d94391f57a66eb42879772f547858", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.js", "request_line": "GET \/sendgrid.config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.js", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.js", "request_line": "GET \/sendgrid.config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.js", "evidence_snippet": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /.bash_history	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.bash_history UA Mozilla/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit/605… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.bash_history TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /.bash_history Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Bash history Ligne de requête `GET /.bash_history HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148;WeRead/4.1.3 (iPad; iOS 12.3.1; Scale/2.00) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.bash_history HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit/605 Requête brute (extrait) GET /.bash_history HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148;WeRead/4.1.3 (iPad; iOS 12.3.1; Scale/2.00) Accept-Charset: utf-8 Accept-Encoding: gzi Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bash_history", "http_ua_hash": "f738946810956c2025d2bf3e12f10f5c055e13c5", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "3740e867d7aba2aaaf44f99aaa36772f226b5d91", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 280, "payload_entropy": 5.3997735286820445, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f9c8fea5e486d9ff804585c45c7ca216fb691014", "event_fingerprint": "3bd1f7bdbffed2d5fbcb35054b5d7de36d8d5f2a", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0109" ], "matched_pattern_names": [ "LFI Bash history" ], "pattern_ids": [ "pat-0109" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5683bb1b83eff70fd3776af24b7f3e87", "payload_hash": "d4c7b26624495c2f7e34df350c229021", "path_pattern_hash": "70ca8eb80ffbde2088a35c267977e4d4" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605", "method": "GET", "path": "\/.bash_history", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148;WeRead\/4.1.3 (iPad; iOS 12.3.1; Scale\/2.00)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.bash_history HTTP\/1.1", "request_sample": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148;WeRead\/4.1.3 (iPad; iOS 12.3.1; Scale\/2.00)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605", "evidence": { "method": "GET", "path": "\/.bash_history", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148;WeRead\/4.1.3 (iPad; iOS 12.3.1; Scale\/2.00)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.bash_history HTTP\/1.1", "request_sample": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148;WeRead\/4.1.3 (iPad; iOS 12.3.1; Scale\/2.00)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6e090c008389b059e5f3555e9c088b5a1b8fda97", "protocol_details": { "http_method": "GET", "http_path": "\/.bash_history", "request_line": "GET \/.bash_history HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148;WeRead\/4.1.3 (iP\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.bash_history", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.bash_history", "request_line": "GET \/.bash_history HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148;WeRead\/4.1.3 (iP\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.bash_history", "evidence_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:10000 · (tentative d'exploit) · → /server.pem	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /server.pem UA Mozilla/5.0 (X11; Linux i686; rv:46.0) Gecko/20100101 Firefox/4… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /server.pem TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /server.pem Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux pat-0498 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Server PEM certificate Ligne de requête `GET /server.pem HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:46.0) Gecko/20100101 Firefox/46.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server.pem HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:46.0) Gecko/20100101 Firefox/46.0 Requête brute (extrait) GET /server.pem HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:46.0) Gecko/20100101 Firefox/46.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "pem", "http_ua_hash": "ed562f4ce0ce36d4da8120f8a185ebd7d4f96b75", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "5fe380198269c9a1a6d0511e7b302de05ee3b072", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 197, "payload_entropy": 5.245570311750706, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f9c8fea5e486d9ff804585c45c7ca216fb691014", "event_fingerprint": "4077ecf04aa19d475f6ddf63bc97e748b9c45b74", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0498", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0498", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0498" ], "matched_pattern_names": [ "Cred Server PEM certificate" ], "pattern_ids": [ "pat-0498" ], "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c3b8ffd6d4f92441ef5d8e508ab43875", "payload_hash": "b4fa906ab33ef2a3bad4abe66f388f11", "path_pattern_hash": "6d08c40a9dd5a1c7d52ff80a12d01067" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0", "method": "GET", "path": "\/server.pem", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.pem HTTP\/1.1", "request_sample": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0", "evidence": { "method": "GET", "path": "\/server.pem", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.pem HTTP\/1.1", "request_sample": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "89723664c9af34648a14901e2bb15de7539378fb", "protocol_details": { "http_method": "GET", "http_path": "\/server.pem", "request_line": "GET \/server.pem HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0", "attack_vector": "credential file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.pem", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "pat-0498", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0498", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server.pem", "request_line": "GET \/server.pem HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.pem", "evidence_snippet": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /.netrc	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.netrc UA Mozilla/5.0 (Linux; Android 9; Redmi Note 7 Pro Build/PKQ1.1812… Émulateur HTTP WAF 20 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.netrc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /.netrc Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Netrc credentials Ligne de requête `GET /.netrc HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Redmi Note 7 Pro Build/PKQ1.181203.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MMWEB… Règles WAF sqli-21 rce-0 nosqli-3 Payload (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 7 Pro Build/PKQ1.181203.001; Requête brute (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 7 Pro Build/PKQ1.181203.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MMWE Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "netrc", "http_ua_hash": "026bdd67e001cb7973ee10c0cfb24e63b454ba56", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "b7551dc22135c68ecee0a4d011ec4c0b7c771e06", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 413, "payload_entropy": 5.537514382897528, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 88, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 88, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 64, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5fb1bf96f85055a71b7fa879afc4ddb175c819d4", "event_fingerprint": "ddcb5830873d5c6f0672b84a035f83f46f593cb5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0482" ], "matched_pattern_names": [ "Cred Netrc credentials" ], "pattern_ids": [ "pat-0482" ], "confidence_breakdown": { "waf": 88, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58aa42775af65cecb8976a9dfcdef477", "payload_hash": "9ed842a73098b2dadbd1ec7204a3ff12", "path_pattern_hash": "5fa317981ba713f7d39164540951d6bb" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7 Pro Build\/PKQ1.181203.001;", "method": "GET", "path": "\/.netrc", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7 Pro Build\/PKQ1.181203.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/7272 MicroMessenger\/7.0.6.1460(0x27000634) Process\/to\u2026", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/.netrc HTTP\/1.1", "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7 Pro Build\/PKQ1.181203.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWE", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7 Pro Build\/PKQ1.181203.001;", "evidence": { "method": "GET", "path": "\/.netrc", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7 Pro Build\/PKQ1.181203.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/7272 MicroMessenger\/7.0.6.1460(0x27000634) Process\/to\u2026", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/.netrc HTTP\/1.1", "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7 Pro Build\/PKQ1.181203.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWE", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7 Pro Build\/PKQ1.181203.001;", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6cb7226c1904bc2a80d513d4718369eeedf88bc7", "protocol_details": { "http_method": "GET", "http_path": "\/.netrc", "request_line": "GET \/.netrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7 Pro Build\/PKQ1.181203.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Versi\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7 Pro Build\/PKQ1.181203.001;", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.netrc", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 88, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.netrc", "request_line": "GET \/.netrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7 Pro Build\/PKQ1.181203.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Versi\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.netrc", "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7 Pro Build\/PKQ1.181203.001;", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:10000 · (tentative d'exploit) · → /.ssh/id_rsa	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.ssh/id_rsa UA Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_id_rsa Cible HTTP GET /.ssh/id_rsa TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /.ssh/id_rsa Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · Sonde clé SSH / id_rsa · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-credential-file Http Id Rsa pat-0490 pat-0495 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred SSH key in .ssh Cred SSH private key id_rsa Ligne de requête `GET /.ssh/id_rsa HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 ( Requête brute (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ssh\/id_rsa", "http_ua_hash": "debb15a7d68aa336bc36ec7e628a2911a37d6393", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "d951dfd854ab99392c126a2628ec52b85415a678", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.389072222908915, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 6, "anomaly_count": 0, "campaign_key": "80da28cb98bd379592d6af235cbe43fec08bd50b", "event_fingerprint": "cab09116da169f764be87491375e0c71cd9de4f0", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 393, "precision_signals": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0490", "pat-0495" ], "matched_pattern_names": [ "Cred SSH key in .ssh", "Cred SSH private key id_rsa" ], "pattern_ids": [ "pat-0490", "pat-0495" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d60e0586986b6a343b0c6e2f32127712", "payload_hash": "a3370d41fca05140fdf33765a0792691", "path_pattern_hash": "6eca2c923ad05fff3eba197c659999e2" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (", "method": "GET", "path": "\/.ssh\/id_rsa", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/.ssh\/id_rsa", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d99ce16b101d089c40fea0d2dcc32112a45d87ec", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_rsa", "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (", "attack_vector": "credential file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/id_rsa", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495" ], "tags_summary_labels_fr": [ "SIGMA-web-credential-file", "Http Id Rsa", "pat-0490", "pat-0495" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_rsa", "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/id_rsa", "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_id_rsa", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /assets/js/sendgrid.js	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /assets/js/sendgrid.js UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /assets/js/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /assets/js/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /assets/js/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /assets/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /assets/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "2cecc9621dea7d276855e0e899c9f487caeeefe2", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "acda6bf02865a5f0451c6b9d0899297afde192a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.418638934530645, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 6, "anomaly_count": 0, "campaign_key": "119697c241b7bb6f8d1c51b35233865766ea742c", "event_fingerprint": "d0014baf400cf417ebc8ef6c9c41b378b596e23e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ec5d4df262c623ce32a88a3272259c4b", "payload_hash": "460d810a1c04acd8a37eb320cc61f70d", "path_pattern_hash": "1306be68ad7cfbf9a63999288f6e84d3" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/assets\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/assets\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHT", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "10e2d1eeed65257dcca4d45f8800bafafa19cab1", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/js\/sendgrid.js", "request_line": "GET \/assets\/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHT", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/js\/sendgrid.js", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/js\/sendgrid.js", "request_line": "GET \/assets\/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/js\/sendgrid.js", "evidence_snippet": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHT", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /js/sendgrid.js	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /js/sendgrid.js UA Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/2010010… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /js/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /js/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /js/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/201001 Requête brute (extrait) GET /js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "8d25cb05cd1f0befc22edd45b32df510a90b04d5", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "7114249614c60cac92b11c965ba88c076eabbbd2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.277064604600014, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 69, "tag_count": 5, "anomaly_count": 0, "campaign_key": "7e75a34e01b56b359a3b5bfcd7dc5402a9fb2d37", "event_fingerprint": "029505274a02fdc27b2405478078bb39eb14beec", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1467830dbb88916b462807dc36fa4e61", "payload_hash": "883928a02d5f5d4455febea801c1a7df", "path_pattern_hash": "e872e36d7b0986feefb905fe01ffcd7c" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko\/201001", "method": "GET", "path": "\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko\/20100101 Firefox\/25.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko\/20100101 Firefox\/25.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko\/201001", "evidence": { "method": "GET", "path": "\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko\/20100101 Firefox\/25.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko\/20100101 Firefox\/25.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko\/201001", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6a8506e2c0537c5e88cb7a6ab35f3fc7ff5a1c80", "protocol_details": { "http_method": "GET", "http_path": "\/js\/sendgrid.js", "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko\/20100101 Firefox\/25.0", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko\/201001", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/sendgrid.js", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/js\/sendgrid.js", "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko\/20100101 Firefox\/25.0", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/sendgrid.js", "evidence_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko\/201001", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /server.key	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server.key UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /server.key TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /server.key Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Server private key Ligne de requête `GET /server.key HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.4 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server.key HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /server.key HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.4 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "key", "http_ua_hash": "73a819af36e260f12b54c59e717c833cd5aa3fa1", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "cf1afbf8420628be2ea8315c59921f18b70510e8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 239, "payload_entropy": 5.413606157267207, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "8c1d7434e36c60a5770c5de80ce6c62d3b1c2320", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0499" ], "matched_pattern_names": [ "Cred Server private key" ], "pattern_ids": [ "pat-0499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d3fa4d6f7636772e7066d1081a761a29", "payload_hash": "177bcb617914c0dc05336ec69a90eeb3", "path_pattern_hash": "51ffc9c2865ea094d2e6b0576cde621f" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/server.key", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.key HTTP\/1.1", "request_sample": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/server.key", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.key HTTP\/1.1", "request_sample": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "066ed4355e9c6a5e9e7b9c39eb3e4295bf4e054e", "protocol_details": { "http_method": "GET", "http_path": "\/server.key", "request_line": "GET \/server.key HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.key", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server.key", "request_line": "GET \/server.key HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.key", "evidence_snippet": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /private.key	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /private.key UA Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (lik… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /private.key TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /private.key Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private.key HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (like Gecko) Fedora/4.3.1-3.fc11 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private.key HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (like Requête brute (extrait) GET /private.key HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (like Gecko) Fedora/4.3.1-3.fc11 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "key", "http_ua_hash": "ae38dbc6bfe938f209cb9dc0a75968fdae269733", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "778f1a2da806bd5e8dfbe960a44247fae7b2ad06", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 223, "payload_entropy": 5.311927853558059, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "f023eadb2bccfe017e44ef5ecf760261a03626e8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8b9dfcb2e76e95d03ed4e98f89a5fca9", "payload_hash": "8a5e7ce0f965f0db5dac7d756f7a1733", "path_pattern_hash": "99d81cc4cfd81ec40e55a6efe29c670b" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like ", "method": "GET", "path": "\/private.key", "user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like Gecko) Fedora\/4.3.1-3.fc11", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private.key HTTP\/1.1", "request_sample": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like Gecko) Fedora\/4.3.1-3.fc11\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like", "evidence": { "method": "GET", "path": "\/private.key", "user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like Gecko) Fedora\/4.3.1-3.fc11", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private.key HTTP\/1.1", "request_sample": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like Gecko) Fedora\/4.3.1-3.fc11\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d4580d2ecc3eaf7bab4d1fd4ebdf9f736e8637b4", "protocol_details": { "http_method": "GET", "http_path": "\/private.key", "request_line": "GET \/private.key HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like Gecko) Fedora\/4.3.1-3.fc11", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private.key", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private.key", "request_line": "GET \/private.key HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like Gecko) Fedora\/4.3.1-3.fc11", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private.key", "evidence_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /src/sendgrid.js	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /src/sendgrid.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /src/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /src/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /src/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /src/sendgrid.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /src/sendgrid.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "e8761e5ab07187c141f9877d6cb4b8b4d14d31f3", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "a3238471d1a50dc88710b61abe1ecef20adb8ca4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.40233688652498, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f31661a442174841a23ce769bd20c24cdad800e6", "event_fingerprint": "b70e53c96e5cb6830040d2ff47e9158f15073c27", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3c67377bb4f9116a6a27a941a7e5016", "payload_hash": "0861db45b1c3178f38dd61deb0e05060", "path_pattern_hash": "e36285cd7734c4bd56f4ea4e4d82c8ca" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 ", "method": "GET", "path": "\/src\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/src\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/src\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/src\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "421c3ac9eba8c86917b7761e7dfae9c898e6aad3", "protocol_details": { "http_method": "GET", "http_path": "\/src\/sendgrid.js", "request_line": "GET \/src\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/sendgrid.js", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/src\/sendgrid.js", "request_line": "GET \/src\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/sendgrid.js", "evidence_snippet": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /sendgrid.min.js	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.min.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.min.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /sendgrid.min.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.min.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3436.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.min.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /sendgrid.min.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3436.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "c1829e33905e469435482d5a99cb1058fc3c4be7", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "c3c746112c0f0239b9db723ddc097884068a0409", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.3901037707868875, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "dfc10104b980fa635343afa2f2738f263442cd43", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0744a14798456c3620dc800647d69ee1", "payload_hash": "fe888cff9546b1bd0778a32eb1855ca4", "path_pattern_hash": "eedccc9bc850fd543465f59f02102b9c" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 ", "method": "GET", "path": "\/sendgrid.min.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.min.js HTTP\/1.1", "request_sample": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/sendgrid.min.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.min.js HTTP\/1.1", "request_sample": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8c6bd2bb1306681d278c33a4cbf9e36b2d0461eb", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.min.js", "request_line": "GET \/sendgrid.min.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.min.js", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.min.js", "request_line": "GET \/sendgrid.min.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.min.js", "evidence_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /sendgrid.js	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.js UA Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTM… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /sendgrid.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "dbc300a2fdbce9356ecb24ee11e2ee1d42c7eee0", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "af3d72bf73a37ea591ef956266b665cf12d6558b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 244, "payload_entropy": 5.437802652178687, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "8867eb9c08ccb7aa6e52d25b71c395f7f713e5bd", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f87bfe70fdc910a1c65033b3ad50ee97", "payload_hash": "a083c8e62fa624bb2df049327848f58a", "path_pattern_hash": "f692cb581dcfe0e04c53a5afcbe187bf" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/sendgrid.js", "user_agent": "Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.js HTTP\/1.1", "request_sample": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/sendgrid.js", "user_agent": "Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.js HTTP\/1.1", "request_sample": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1fc63bf49b9c85d5af7a2127d9e2581d56a0555c", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.js", "request_line": "GET \/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.js", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.js", "request_line": "GET \/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.js", "evidence_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML,", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /.pypirc	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.pypirc UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.pypirc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /.pypirc Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.pypirc HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.pypirc HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko Requête brute (extrait) GET /.pypirc HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "pypirc", "http_ua_hash": "c28869da8a5580e045c507ea0936555e21c1862e", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "4f379f0493c77f8c140c8f093ef7d07d4d18769b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 233, "payload_entropy": 5.4208535628106445, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f9c8fea5e486d9ff804585c45c7ca216fb691014", "event_fingerprint": "d76a4d3e6dfc63cc70b7c2cda68a86f2b3026c74", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d3273569706da18414462fd254b8f13b", "payload_hash": "3ec17aff0ad8b2df05ed422d05ad41c6", "path_pattern_hash": "f4c8c175cb2aad95cfdfc95e8249602c" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "method": "GET", "path": "\/.pypirc", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.pypirc HTTP\/1.1", "request_sample": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "evidence": { "method": "GET", "path": "\/.pypirc", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.pypirc HTTP\/1.1", "request_sample": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a0bd39f5e4ffa879ec19489c063bf309bbf1b31c", "protocol_details": { "http_method": "GET", "http_path": "\/.pypirc", "request_line": "GET \/.pypirc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.pypirc", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.pypirc", "request_line": "GET \/.pypirc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.pypirc", "evidence_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /sendgrid_helper.py	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid_helper.py UA Mozilla/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit/537.36… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid_helper.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /sendgrid_helper.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid_helper.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid_helper.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit/5 Requête brute (extrait) GET /sendgrid_helper.py HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "ebc73af3add799930ae225046d32f774512e7d41", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "772198c723c64c6ab2c19442e512e9b63957a609", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.405440815679419, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14ffab383a29e3bdcac06a17f713072aea70df2e", "event_fingerprint": "251602a59d1fee24c84f114ca57d5fefc585a31d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f175d57f2470206520eeed314e839c11", "payload_hash": "09f419b358917fc8eaf2af21d7b4b596", "path_pattern_hash": "f0a726c4ecbb7f24a7410bc2568f13fc" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/5", "method": "GET", "path": "\/sendgrid_helper.py", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_helper.py HTTP\/1.1", "request_sample": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/sendgrid_helper.py", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_helper.py HTTP\/1.1", "request_sample": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8acd151844f366fbcfee32facfe8310d97b48a04", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_helper.py", "request_line": "GET \/sendgrid_helper.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/5\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_helper.py", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_helper.py", "request_line": "GET \/sendgrid_helper.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/5\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_helper.py", "evidence_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/5", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /config/sendgrid.js	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.js UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /config/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi Requête brute (extrait) GET /config/sendgrid.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "5239ad7d22afb3d7eae8dd135226be187ef5cd33", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "dfc017b1f5d967c2ea8d62566bf7510e84bb5637", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 227, "payload_entropy": 5.335921213607197, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "8398e3f448f94bfe166d1a0716f446af2e83154b", "event_fingerprint": "78a568a0b2b58753dc93c1cd85c55b991d4a9494", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e2dc6da1de2eb0d618cf99c82d936563", "payload_hash": "77ca5d13c7ffd0a73d241c2a9fdbf979", "path_pattern_hash": "cf64c655ed198e8031863155489c92f2" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "method": "GET", "path": "\/config\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "evidence": { "method": "GET", "path": "\/config\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3297739073fc41d3529d2806e4889c32011b0947", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.js", "request_line": "GET \/config\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.js", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.js", "request_line": "GET \/config\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.js", "evidence_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 13:23:09 UTC	TCP	10000 · HTTP	http	Flood / DDoS http flood · via HTTP:10000 · (tentative d'exploit) · → /mailer/sendgrid.js	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /mailer/sendgrid.js UA Mozilla/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit/537.36… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /mailer/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10000 Chemin / cible /mailer/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mailer/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mailer/sendgrid.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit/5 Requête brute (extrait) GET /mailer/sendgrid.js HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "1ec76de79048327f0e5c528a16069d0d17549e57", "http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc", "http_target_hash": "f0266273bf48ddd4776744bfb636ed48db1f9a0e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.393782325248357, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 10000, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f31661a442174841a23ce769bd20c24cdad800e6", "event_fingerprint": "1606a3b60423bad9056f089cdecc2ee133269a04", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7a9f67fec24c4f845c587df0ff337b33", "payload_hash": "dea819c081f08c8e9a39bf1643b869b1", "path_pattern_hash": "6ecfd778a602d8c5515ae4f71e84d137" }, "target_context": { "dst_port": 10000, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/5", "method": "GET", "path": "\/mailer\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/mailer\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "236a845bc6b7bb86ade536801e93621494663147", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.js", "request_line": "GET \/mailer\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.js", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.js", "request_line": "GET \/mailer\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 10000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:10000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.js", "evidence_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/5", "target_port_label": "10000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "webmin" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }

8.230.25.99

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence