Détails IP 80.70.96.153

Synthèse exécutive

Profil de menace

Score de risque 49/100 Moyen

Première observation 15/06/2026 11:27 UTC

Dernière observation 15/06/2026 11:27 UTC

Événements (période) 146

MITRE ATT&CK principal TA0007 146 occurrences

Activité suspecte · risque 49/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « rtsp_probe » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 8

Comparaison ASN / FAI

ASN 34351 · 80.70.96.0/20 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 146 événements sur la période pour cette IP.

94.243.11.199 Sonde port 23/TCP 17/06/2026 06:23 UTC
94.243.9.193 Sonde port 23/TCP 16/06/2026 09:57 UTC
94.243.8.68 Sonde port 23/TCP 15/06/2026 02:18 UTC
80.70.96.139 Sonde port 5903/TCP 14/06/2026 21:14 UTC
94.243.8.185 Sonde port 23/TCP 14/06/2026 14:39 UTC
94.243.15.44 Sonde port 23/TCP 07/06/2026 10:45 UTC
94.243.10.133 port attack 31/05/2026 08:01 UTC
94.243.13.21 web attack 28/05/2026 12:45 UTC

Événements (filtres)

146

Première observation

15/06/2026 11:27 UTC

Dernière observation

15/06/2026 11:27 UTC

Dernière activité (filtres)

15/06/2026 11:27 UTC

Événements 7j

146

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Géolocalisation

Origine réseau déclarée

Russie unknown unknown

FAI / réseau

Opérateur et dernière activité ban

MTS PJSC 0 Port 554 rtsp_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

rtsp probe · via RTSP:554 · (sonde / probe)

Détails protocole

Aperçu payload

DESCRIBE rtsp://62.3.50.33:554/rtsp/ipc RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM

Port / service

554 · RTSP

Service émulé

RTSP

Raison confiance

Confiance 100 % — Motif catalogue confirmé

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0382 pat-0770 Upstream

Confiance

100%

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

146 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

146 événement(s) — page 1/3

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 11:27:49 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/outputStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizatio Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/outputStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizatio Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/outputStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 157, "payload_entropy": 5.270189263081607, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e4fc07fdad193c224b13fa7e3768d5e4", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3cdd019650c552cfd8d4d94304b671559bb5dafc", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/outputStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:49 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/videoStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/videoStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/videoStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 156, "payload_entropy": 5.28383260866098, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5b66d8e32508edfd1ec28550c23056ba", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6b8ce34634084df8ea136b2cbb34c8652276498f", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/videoStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:49 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/camStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/camStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/camStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 154, "payload_entropy": 5.270491921762397, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a794993c9dd50da6627de1f6777f9e26", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8033394c65a4dac46ee6f9df094c9c096225200d", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:49 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/ipcStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/ipcStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/ipcStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 154, "payload_entropy": 5.264398149475343, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "653caea3a5cb06a85016a59916c645ed", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "46a909d7ca2b84acde2a068496b672c48b73dae9", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/ipcStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:49 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/rtspStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/rtspStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/rtspStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 155, "payload_entropy": 5.257117589815788, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cd1efe2aa2c9a27c60dd0747a26a95b1", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1f35728dc34f5c3363708cb93cdaa9e201fc7696", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:49 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsp/ipc RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/ipc RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/ipc RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 143, "payload_entropy": 5.241215307073412, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "32a16dcd04de9209406ae4aea3a0c051", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bcf1deba0f8ff56b68f6d4ed31f98e948625fe20", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/ipc RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/av2 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/av2 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/av2 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 138, "payload_entropy": 5.283743798508826, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5ef2e3966c308933ffce895fd2430fea", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0596ac1eb79c3747424575d41d3a27b8faac04ed", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsph264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsph264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsph264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 143, "payload_entropy": 5.288744897857538, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "596bc4b66a763c297f254bf28d056604", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bd5e1a870555906fe4bdef5e5853eec4a6fed132", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsph264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/live_mpeg4.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/live_mpeg4.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/live_mpeg4.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 149, "payload_entropy": 5.336009924661248, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2f1884a0cc1e7c2a0e06e0fbcd163a24", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "57ccbb3e6e2a401a622c37cbaf1620824782e1c8", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live_mpeg4.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/videoinput_1/h264_1/media.stm RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Autho Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/videoinput_1/h264_1/media.stm RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Autho Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/videoinput_1/h264_1/media.stm RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 164, "payload_entropy": 5.349190115438437, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "07ae7641b138eb81b4da5ea803422bc0", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAutho", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAutho", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAutho", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "be71171a37aedc691696b5d7385155dcd5743d1c", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAutho", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAutho", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAutho", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoinput_1\/h264_1\/media.stm RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAutho", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/HighResolutionVideo RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/HighResolutionVideo RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/HighResolutionVideo RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 154, "payload_entropy": 5.329604928566034, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "44075d03807c0c8ddfb2cce0cf5cd084", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5bb07eb1a7c8d7c083d7a823ce3e5ea96f8b34aa", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/HighResolutionVideo RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/video1+audio1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/video1+audio1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/video1+audio1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 148, "payload_entropy": 5.310258394209969, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e50fe699840e132c2420d1c8297adc88", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a416d2d38e1187087f84299fc1eb00e86c4cf92b", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1+audio1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/rtsp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/rtsp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/rtsp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 149, "payload_entropy": 5.264607175660913, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1add83cac5901e193b350eb0120148c8", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b44efcc14febd88582e1a815f2b6b72691b578d4", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/rtspfeed RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: B Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/rtspfeed RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: B Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/rtspfeed RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 153, "payload_entropy": 5.27522127827858, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e1809754e78d9a5de7451fd5c49064d2", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2f9b2045da23d9f7c8f079b51e15fbb2d2e43314", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/av/mainStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/av/mainStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/av/mainStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 148, "payload_entropy": 5.279744498638104, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c1a90c96005c7325eef36259f330f56b", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1a67934671a5c5c0e47401ea736ae738f693d688", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/av/defaultStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Bas Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/av/defaultStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Bas Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/av/defaultStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 151, "payload_entropy": 5.299992054805837, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "11f08648912457c6d6e0d6a4827d9550", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c99efc0e1d28e140cf31c9a43bc147632ccbf64c", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/av RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/av RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/av RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 147, "payload_entropy": 5.283938162893175, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2d9f2e11baf28a3fc78c907080932461", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cb3800dfbea982e687c7ebc3e3a163fe1311bbbb", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/av RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/cameraStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizatio Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/cameraStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizatio Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/cameraStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 157, "payload_entropy": 5.256400746926318, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1cfb701efaf4cb69e92246f224ff2c55", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cfac832b5fef3963734b8d46d8ff515cdf7ac80c", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cameraStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/cam RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/cam RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/cam RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 148, "payload_entropy": 5.282273870898642, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cc89960696342d4ca7469176387b875b", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44e79b8f42aa5f72c732a24f62a7b76f0af4906c", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/rtspstream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/rtspstream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/rtspstream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 155, "payload_entropy": 5.251333093349725, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ec41bc6fc3c8ce8f0afc3b4e30a4fa8d", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c764ab8e3224bec75ed8c82777d06bf94cd4774f", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/camera RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Bas Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/camera RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Bas Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/camera RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 151, "payload_entropy": 5.270981853430975, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2590a0f968326803496c7dc30ffede8b", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f34a471ebc56f5325bcfd919a2968cc1afa58a13", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/mainStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/mainStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/mainStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 155, "payload_entropy": 5.265988400334354, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0c120f6c9c281bf88a34bb653b702317", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fef2c83fd857b2adc508e5b899ab9f03fa536696", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mainStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/1.AMP RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6 Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/1.AMP RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6 Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/1.AMP RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 140, "payload_entropy": 5.270409586174162, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "82a52e7b434720aab2835ebdb9840a02", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5ef27020b914433fe9b99419e7f2e6c27279fe75", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/onvif/profile1/media.smp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizat Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/onvif/profile1/media.smp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizat Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/onvif/profile1/media.smp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 159, "payload_entropy": 5.30107423042813, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5ade6f3699a4503c0757fb1331626e6a", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d9db20cc7e53261dcd0c39e3d257702a2a1ba9d8", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsp/cam1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/cam1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/cam1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.274223679915239, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "de85f0bd928ca35243ec70aa894caff8", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "54712d9201d2b5129b48f590d4da60ff7bde41df", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/cam1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/live/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/live/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/live/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.290644013086072, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d253225207d3992fbbac1ba5a726bdae", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "820140fec772066bcb6dab2af2ba5df0ad2df583", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/live0.264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/live0.264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/live0.264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.30500287092586, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d51595259e4168a8591aadca49fbaf4d", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b6d1e56d1e292a93889eb2ff4ebd193d2db7563b", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/h264/ch01/main/av_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizat Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/h264/ch01/main/av_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizat Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/h264/ch01/main/av_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 159, "payload_entropy": 5.331242352957249, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b3067b880a2ef0b457d84ab485e9aa8e", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ecc56ebb9d308fc85f36b7a0ecfc21d403b55fa1", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch01\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizat", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/stream/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/stream/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/stream/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 146, "payload_entropy": 5.274667540074204, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e7293bec876fea73f0ae10278bd48c2e", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b07943fb5b55d35dbd185386ccef99957b093a6c", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/defaultStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizati Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/defaultStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizati Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/defaultStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 158, "payload_entropy": 5.292794179809617, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "abad0cbe32df96489bdf1947d12c9844", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4211ede419160428fd3465d0fb4bc7180e00fd59", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/h265_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/h265_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/h265_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 146, "payload_entropy": 5.323894190811827, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1eb29b1e4aeb12cae6264599c57ddc02", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "28a814fcc644bcc74b3394682dcf7ad13b74c4b9", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/channel=1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/channel=1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/channel=1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.290420471827874, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bcdaf3ff43188ccaec7755a2ac8cc747", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c555d1d4c952c8e13412ef72a4e2a0ccddbca4b8", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ], "behavior_alert_count": 2, "behavior_priority": 72 }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/h264_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/h264_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/h264_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 146, "payload_entropy": 5.332422358605229, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2abd23b9af357f8753c37cd801735a2b", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fa3dc6e1f395b9edab30f96c7238b0fde099a888", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/defaultPrimary?streamType=u RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authori Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/defaultPrimary?streamType=u RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authori Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/defaultPrimary?streamType=u RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 162, "payload_entropy": 5.368421917542261, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4891c6ec25e9afbf07fd11f30f5b407b", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthori", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthori", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthori", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "352a34236a2077e48db918c973a3263cc82a8165", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthori", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthori", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthori", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultPrimary?streamType=u RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthori", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/avstream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/avstream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/avstream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 143, "payload_entropy": 5.2817766291697765, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e2a7b99a3ff9d043e1771ba5afe24580", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "28e98db9d921002bb1a2aeae4d913d07d969249d", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/live/h264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/live/h264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/live/h264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.308227825416902, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "60a5ba855094488e57735d8d6e6aaad3", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "586f7179be1ecec19b3c477f961cbd1b67d8d533", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/video1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/video1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/video1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 141, "payload_entropy": 5.285442335976052, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "14f4490017b14b0ab5caacea51718091", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bede6682344ac0f79960a13b0dde2166808fba84", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/camera RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/camera RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/camera RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 141, "payload_entropy": 5.278375226597685, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "439d8179aa92d4ea5ef496b871e26530", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "768187797b64b60a1c477f41cae05e9b4763633f", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/ch0_0.264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/ch0_0.264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/ch0_0.264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.323440523926233, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f1ecf8c6a870feed73922588564cbc4a", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8d4977fc79d7dac41fa7a435d13e051eded0bd03", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/mpeg4/media.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basi Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/mpeg4/media.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basi Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/mpeg4/media.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 150, "payload_entropy": 5.29763298174975, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "17fffec2493d7a4d7fe67a240dcc6e32", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0ab25f841c597b753d626079bc3b3149f9c516fe", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/mpeg4/1/media.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Ba Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/mpeg4/1/media.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Ba Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/mpeg4/1/media.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 152, "payload_entropy": 5.296779794600432, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c6ee497eca6931c5d4e855845a93ab6b", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a656d9c986026ffcb29a288c72e72142a7681f2f", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4\/1\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/avstream/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/avstream/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/avstream/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 148, "payload_entropy": 5.277281471769183, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "14509af6c5eefb919d25a72c6d2fe04b", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "058b69123fe0c0a774e6f848827fa609f5d286a9", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/cam RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/cam RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/cam RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 138, "payload_entropy": 5.286572490723052, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6573bbc4ffb80ca8e56f8a348f99b273", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "228e9a1c0b85ada216fcef4e40601c6afd893abe", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/medias1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/medias1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/medias1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 142, "payload_entropy": 5.292746881320905, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f8233d199a9a645528ab5f28274d08cc", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fec71bc5309aafde263b7275251c456b2e3e1b33", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/medias1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/avstream/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/avstream/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/avstream/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 148, "payload_entropy": 5.283623404278505, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cd6ce2503bdabdfa332a83723cc824d2", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e4b9d86841711eedc48b4de5a8a45b79e740f476", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avstream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/camera/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/camera/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/camera/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 146, "payload_entropy": 5.284850330608607, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "44e4930b070eb5d93251b2df9f672385", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2faf6125fd8d36138266d573188531e972a46d5f", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsp_live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp_live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp_live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.29266133291561, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "423d9d0b1a6a1294807c0e688c9d72bd", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0ca4b0b2720926aea28957e27cf1cf55a9432f18", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/play1.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/play1.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/play1.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.29606567316334, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7c40bac14f313b47ffee17408ec332aa", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f4043ef1105a85a3e56ced66640ec8c8b33bff46", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/play1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/camera/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/camera/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/camera/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 146, "payload_entropy": 5.2732510599679, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "047e41662aff5fc93a8e0a3904f2fdae", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9827bf227fe482772581dd9c8c063519217f6cfc", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/camera\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/video RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basi Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/video RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basi Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/video RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 150, "payload_entropy": 5.290430878673376, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3b1db47afb4c9f66cf1e1ba5874654a7", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93bc838eb6321a18a18edaabc76cb020fa748511", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }

80.70.96.153

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence