{"ip":"80.70.96.153","exported_at":"2026-06-18T13:23:20+00:00","period_days":30,"metrics":{"events7d":146,"distinct_ports":1,"distinct_classifications":2,"max_severity":6,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":49,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"monitor","confidence":1,"risk_breakdown":{"waf":8,"classification":42,"behavior":0,"geo":0,"protocol":30,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":146,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 49\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":42,"behavior":0,"geo":0,"protocol":30,"novelty":15,"risk_score":49},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":100,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0382","pat-0770","Upstream"],"tags_summary":["pat-0382","pat-0770","INT-upstream"],"attack_vector":"rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM","port":554,"service":"rtsp","service_label_fr":"RTSP"},"protocol_summary_fr":"Payload DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\r\nCSeq: 1\r\nAcce\u2026 \u00b7 RTSP:554","evidence_snippet":"DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM","target_port_label":"554 \u00b7 RTSP","emulator_service":"rtsp","confidence_reason":"Confiance 100 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%","classification_reason_label_fr":"Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 8","payload_preview":"DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM"},"events":[{"id":9132049,"ip":"80.70.96.153","ts":"2026-06-15 11:27:49.000000","proto":"tcp","src_port":48664,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 157, \u0022payload_entropy\u0022: 5.270189263081607, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e4fc07fdad193c224b13fa7e3768d5e4\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223cdd019650c552cfd8d4d94304b671559bb5dafc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":157},{"id":9132050,"ip":"80.70.96.153","ts":"2026-06-15 11:27:49.000000","proto":"tcp","src_port":48684,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 156, \u0022payload_entropy\u0022: 5.28383260866098, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225b66d8e32508edfd1ec28550c23056ba\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226b8ce34634084df8ea136b2cbb34c8652276498f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":156},{"id":9132051,"ip":"80.70.96.153","ts":"2026-06-15 11:27:49.000000","proto":"tcp","src_port":48686,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 154, \u0022payload_entropy\u0022: 5.270491921762397, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a794993c9dd50da6627de1f6777f9e26\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: \u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228033394c65a4dac46ee6f9df094c9c096225200d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":154},{"id":9132052,"ip":"80.70.96.153","ts":"2026-06-15 11:27:49.000000","proto":"tcp","src_port":48680,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 154, \u0022payload_entropy\u0022: 5.264398149475343, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022653caea3a5cb06a85016a59916c645ed\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: \u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002246a909d7ca2b84acde2a068496b672c48b73dae9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":154},{"id":9132053,"ip":"80.70.96.153","ts":"2026-06-15 11:27:49.000000","proto":"tcp","src_port":48698,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 155, \u0022payload_entropy\u0022: 5.257117589815788, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cd1efe2aa2c9a27c60dd0747a26a95b1\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221f35728dc34f5c3363708cb93cdaa9e201fc7696\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":155},{"id":9132054,"ip":"80.70.96.153","ts":"2026-06-15 11:27:49.000000","proto":"tcp","src_port":48710,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 143, \u0022payload_entropy\u0022: 5.241215307073412, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002232a16dcd04de9209406ae4aea3a0c051\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bcf1deba0f8ff56b68f6d4ed31f98e948625fe20\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":143},{"id":9132032,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48514,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 138, \u0022payload_entropy\u0022: 5.283743798508826, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225ef2e3966c308933ffce895fd2430fea\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220596ac1eb79c3747424575d41d3a27b8faac04ed\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":138},{"id":9132033,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48508,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 143, \u0022payload_entropy\u0022: 5.288744897857538, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022596bc4b66a763c297f254bf28d056604\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bd5e1a870555906fe4bdef5e5853eec4a6fed132\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":143},{"id":9132034,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48504,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 149, \u0022payload_entropy\u0022: 5.336009924661248, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222f1884a0cc1e7c2a0e06e0fbcd163a24\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002257ccbb3e6e2a401a622c37cbaf1620824782e1c8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":149},{"id":9132035,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48524,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 164, \u0022payload_entropy\u0022: 5.349190115438437, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002207ae7641b138eb81b4da5ea803422bc0\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAutho\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAutho\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAutho\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022be71171a37aedc691696b5d7385155dcd5743d1c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAutho\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAutho\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAutho\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAutho\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":164},{"id":9132036,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48538,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 154, \u0022payload_entropy\u0022: 5.329604928566034, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002244075d03807c0c8ddfb2cce0cf5cd084\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: \u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225bb07eb1a7c8d7c083d7a823ce3e5ea96f8b34aa\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":154},{"id":9132037,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48544,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 148, \u0022payload_entropy\u0022: 5.310258394209969, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e50fe699840e132c2420d1c8297adc88\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic \u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a416d2d38e1187087f84299fc1eb00e86c4cf92b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":148},{"id":9132038,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48574,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 149, \u0022payload_entropy\u0022: 5.264607175660913, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221add83cac5901e193b350eb0120148c8\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b44efcc14febd88582e1a815f2b6b72691b578d4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":149},{"id":9132039,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48558,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 153, \u0022payload_entropy\u0022: 5.27522127827858, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e1809754e78d9a5de7451fd5c49064d2\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: B\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: B\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: B\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222f9b2045da23d9f7c8f079b51e15fbb2d2e43314\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: B\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: B\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: B\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: B\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":153},{"id":9132040,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48580,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 148, \u0022payload_entropy\u0022: 5.279744498638104, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c1a90c96005c7325eef36259f330f56b\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic \u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221a67934671a5c5c0e47401ea736ae738f693d688\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":148},{"id":9132041,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48584,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 151, \u0022payload_entropy\u0022: 5.299992054805837, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002211f08648912457c6d6e0d6a4827d9550\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c99efc0e1d28e140cf31c9a43bc147632ccbf64c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":151},{"id":9132042,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48598,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.283938162893175, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222d9f2e11baf28a3fc78c907080932461\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic M\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic M\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic M\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cb3800dfbea982e687c7ebc3e3a163fe1311bbbb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic M\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic M\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic M\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic M\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":147},{"id":9132043,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48612,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 157, \u0022payload_entropy\u0022: 5.256400746926318, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221cfb701efaf4cb69e92246f224ff2c55\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cfac832b5fef3963734b8d46d8ff515cdf7ac80c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizatio\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":157},{"id":9132044,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48620,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 148, \u0022payload_entropy\u0022: 5.282273870898642, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cc89960696342d4ca7469176387b875b\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic \u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002244e79b8f42aa5f72c732a24f62a7b76f0af4906c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":148},{"id":9132045,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48624,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 155, \u0022payload_entropy\u0022: 5.251333093349725, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ec41bc6fc3c8ce8f0afc3b4e30a4fa8d\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c764ab8e3224bec75ed8c82777d06bf94cd4774f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":155},{"id":9132046,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48640,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 151, \u0022payload_entropy\u0022: 5.270981853430975, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222590a0f968326803496c7dc30ffede8b\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f34a471ebc56f5325bcfd919a2968cc1afa58a13\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Bas\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":151},{"id":9132047,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48658,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 155, \u0022payload_entropy\u0022: 5.265988400334354, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220c120f6c9c281bf88a34bb653b702317\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fef2c83fd857b2adc508e5b899ab9f03fa536696\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization:\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":155},{"id":9132048,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48650,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 140, \u0022payload_entropy\u0022: 5.270409586174162, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002282a52e7b434720aab2835ebdb9840a02\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225ef27020b914433fe9b99419e7f2e6c27279fe75\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":140},{"id":9131955,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47792,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 159, \u0022payload_entropy\u0022: 5.30107423042813, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225ade6f3699a4503c0757fb1331626e6a\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d9db20cc7e53261dcd0c39e3d257702a2a1ba9d8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":159},{"id":9131956,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47796,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 5.274223679915239, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022de85f0bd928ca35243ec70aa894caff8\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002254712d9201d2b5129b48f590d4da60ff7bde41df\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":144},{"id":9131957,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47860,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 5.290644013086072, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d253225207d3992fbbac1ba5a726bdae\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022820140fec772066bcb6dab2af2ba5df0ad2df583\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":144},{"id":9131958,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47886,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 5.30500287092586, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d51595259e4168a8591aadca49fbaf4d\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b6d1e56d1e292a93889eb2ff4ebd193d2db7563b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":144},{"id":9131959,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47788,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 159, \u0022payload_entropy\u0022: 5.331242352957249, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b3067b880a2ef0b457d84ab485e9aa8e\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ecc56ebb9d308fc85f36b7a0ecfc21d403b55fa1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizat\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":159},{"id":9131960,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47822,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.274667540074204, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e7293bec876fea73f0ae10278bd48c2e\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b07943fb5b55d35dbd185386ccef99957b093a6c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":146},{"id":9131961,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47764,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 158, \u0022payload_entropy\u0022: 5.292794179809617, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022abad0cbe32df96489bdf1947d12c9844\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizati\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizati\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizati\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224211ede419160428fd3465d0fb4bc7180e00fd59\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizati\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizati\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizati\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorizati\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":158},{"id":9131962,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47816,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.323894190811827, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221eb29b1e4aeb12cae6264599c57ddc02\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002228a814fcc644bcc74b3394682dcf7ad13b74c4b9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":146},{"id":9131963,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47778,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 5.290420471827874, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bcdaf3ff43188ccaec7755a2ac8cc747\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c555d1d4c952c8e13412ef72a4e2a0ccddbca4b8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":144},{"id":9131964,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47810,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.332422358605229, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222abd23b9af357f8753c37cd801735a2b\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fa3dc6e1f395b9edab30f96c7238b0fde099a888\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":146},{"id":9131965,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47852,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 162, \u0022payload_entropy\u0022: 5.368421917542261, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224891c6ec25e9afbf07fd11f30f5b407b\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthori\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthori\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthori\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022352a34236a2077e48db918c973a3263cc82a8165\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthori\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthori\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthori\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthori\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":162},{"id":9131966,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47916,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 143, \u0022payload_entropy\u0022: 5.2817766291697765, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e2a7b99a3ff9d043e1771ba5afe24580\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002228e98db9d921002bb1a2aeae4d913d07d969249d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwM\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":143},{"id":9131967,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47836,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 5.308227825416902, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002260a5ba855094488e57735d8d6e6aaad3\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022586f7179be1ecec19b3c477f961cbd1b67d8d533\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":144},{"id":9131968,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47900,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 141, \u0022payload_entropy\u0022: 5.285442335976052, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002214f4490017b14b0ab5caacea51718091\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bede6682344ac0f79960a13b0dde2166808fba84\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":141},{"id":9131969,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47874,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 141, \u0022payload_entropy\u0022: 5.278375226597685, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022439d8179aa92d4ea5ef496b871e26530\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022768187797b64b60a1c477f41cae05e9b4763633f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":141},{"id":9131970,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47928,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 5.323440523926233, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f1ecf8c6a870feed73922588564cbc4a\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228d4977fc79d7dac41fa7a435d13e051eded0bd03\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":144},{"id":9131971,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47940,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 150, \u0022payload_entropy\u0022: 5.29763298174975, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002217fffec2493d7a4d7fe67a240dcc6e32\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220ab25f841c597b753d626079bc3b3149f9c516fe\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":150},{"id":9131972,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47972,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 152, \u0022payload_entropy\u0022: 5.296779794600432, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c6ee497eca6931c5d4e855845a93ab6b\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Ba\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Ba\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Ba\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a656d9c986026ffcb29a288c72e72142a7681f2f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Ba\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Ba\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Ba\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Ba\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":152},{"id":9131973,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47988,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 148, \u0022payload_entropy\u0022: 5.277281471769183, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002214509af6c5eefb919d25a72c6d2fe04b\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic \u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022058b69123fe0c0a774e6f848827fa609f5d286a9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":148},{"id":9131974,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47956,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 138, \u0022payload_entropy\u0022: 5.286572490723052, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226573bbc4ffb80ca8e56f8a348f99b273\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022228e9a1c0b85ada216fcef4e40601c6afd893abe\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MD\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":138},{"id":9131975,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47992,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 142, \u0022payload_entropy\u0022: 5.292746881320905, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f8233d199a9a645528ab5f28274d08cc\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMD\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMD\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMD\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fec71bc5309aafde263b7275251c456b2e3e1b33\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMD\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMD\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":142},{"id":9131976,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":47998,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 148, \u0022payload_entropy\u0022: 5.283623404278505, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cd6ce2503bdabdfa332a83723cc824d2\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic \u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e4b9d86841711eedc48b4de5a8a45b79e740f476\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":148},{"id":9131977,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48022,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.284850330608607, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002244e4930b070eb5d93251b2df9f672385\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222faf6125fd8d36138266d573188531e972a46d5f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":146},{"id":9131978,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48014,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 5.29266133291561, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022423d9d0b1a6a1294807c0e688c9d72bd\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220ca4b0b2720926aea28957e27cf1cf55a9432f18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":144},{"id":9131979,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48004,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 5.29606567316334, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227c40bac14f313b47ffee17408ec332aa\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f4043ef1105a85a3e56ced66640ec8c8b33bff46\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAw\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":144},{"id":9131980,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48026,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.2732510599679, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022047e41662aff5fc93a8e0a3904f2fdae\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229827bf227fe482772581dd9c8c063519217f6cfc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MD\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":146},{"id":9131981,"ip":"80.70.96.153","ts":"2026-06-15 11:27:48.000000","proto":"tcp","src_port":48034,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 150, \u0022payload_entropy\u0022: 5.290430878673376, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 34351, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022RTSP DESCRIBE\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0770\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 34351, \u0022org\u0022: \u0022MTS PJSC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b1db47afb4c9f66cf1e1ba5874654a7\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basic MDAwMDA6MDAwMDA=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002293bc838eb6321a18a18edaabc76cb020fa748511\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022pat-0770\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nAccept: application\/sdp\\r\\nUser-Agent: Lavf\\r\\nAuthorization: Basi\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":150}],"total_events":146}