Détails IP 80.70.96.153

Synthèse exécutive

Profil de menace

Score de risque 49/100 Moyen

Première observation 15/06/2026 11:27 UTC

Dernière observation 15/06/2026 11:27 UTC

Événements (période) 146

MITRE ATT&CK principal TA0007 146 occurrences

Activité suspecte · risque 49/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « rtsp_probe » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 8

Comparaison ASN / FAI

ASN 34351 · 80.70.96.0/20 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 146 événements sur la période pour cette IP.

94.243.11.199 Sonde port 23/TCP 17/06/2026 06:23 UTC
94.243.9.193 Sonde port 23/TCP 16/06/2026 09:57 UTC
94.243.8.68 Sonde port 23/TCP 15/06/2026 02:18 UTC
80.70.96.139 Sonde port 5903/TCP 14/06/2026 21:14 UTC
94.243.8.185 Sonde port 23/TCP 14/06/2026 14:39 UTC
94.243.15.44 Sonde port 23/TCP 07/06/2026 10:45 UTC
94.243.10.133 port attack 31/05/2026 08:01 UTC
94.243.13.21 web attack 28/05/2026 12:45 UTC

Événements (filtres)

146

Première observation

15/06/2026 11:27 UTC

Dernière observation

15/06/2026 11:27 UTC

Dernière activité (filtres)

15/06/2026 11:27 UTC

Événements 7j

146

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Géolocalisation

Origine réseau déclarée

Russie unknown unknown

FAI / réseau

Opérateur et dernière activité ban

MTS PJSC 0 Port 554 rtsp_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

rtsp probe · via RTSP:554 · (sonde / probe)

Détails protocole

Aperçu payload

DESCRIBE rtsp://62.3.50.33:554/rtsp/ipc RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM

Port / service

554 · RTSP

Service émulé

RTSP

Raison confiance

Confiance 100 % — Motif catalogue confirmé

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0382 pat-0770 Upstream

Confiance

100%

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

146 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

146 événement(s) — page 2/3

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/primary RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Ba Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/primary RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Ba Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/primary RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 152, "payload_entropy": 5.292897620483439, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3db5a7b332139cb5d2e5ca1cfcfbfb3c", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/primary RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/primary RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/primary RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/primary RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/primary RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d4e3e7dadf7c6bd91dc0c6248d843a862ce2afc1", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/primary RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/primary RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/primary RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/primary RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/default RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Ba Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/default RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Ba Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/default RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 152, "payload_entropy": 5.301469784357166, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a8465851c2e85c7c2d48f3fbcad02cfe", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b187470b33eb21953dd0770c34377dba2e9840f7", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Ba", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsp/stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 146, "payload_entropy": 5.257739672937144, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "29d995c9ab00b3ce81e6d00f03ece358", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "71d3bf75a6637cff5a999ff7490dd313fbf7a309", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsp/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.268802019837971, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "35e9d497e86044825a9744ec33e742c2", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "30936e250f35832a9b36b6e671ca25a4ab0d4b27", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsp/default RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/default RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/default RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 147, "payload_entropy": 5.277396029575598, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "08a8cf7cc77a04358b83cfea8287ba0b", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "afd34bde6abfb875b0a0cfb1027800d32ee03248", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/media.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/media.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/media.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.288112568804127, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c1465c8d1165a33e3974f82bec950703", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a3e1292bf82f00fbacf94ba1164ba510adb0f87b", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/h265Preview_01_main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/h265Preview_01_main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/h265Preview_01_main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 154, "payload_entropy": 5.356875908697331, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cb5a94953ff3925dae95138d757b4e55", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d73f3d05cb0e128479f6f20315bcc5326ef02f04", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/h265 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/h265 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/h265 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 139, "payload_entropy": 5.292181387030855, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "666f3e742dfd93ff1eafad1a9a0a8850", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cec3279e205a1be050ba383f3324aacd75a2d05c", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 141, "payload_entropy": 5.278375226597686, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "93d374574a5f4257a97ae779cbb99502", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d8b3f7ae9d75f726fc9ec66cb9ffd7c11eea49e3", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsp/channel1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/channel1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/channel1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 148, "payload_entropy": 5.2672548268005075, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3826d9bb2062a87c727bc9587c0c0197", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "94c50d45bff10a092775ad8bf8819016b3ecd95c", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/main.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/main.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/main.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 143, "payload_entropy": 5.285155299382171, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "70cf235859e48c923837f46e908054e5", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a8411010720897b2625686f4546fc5cce730d031", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/defaultStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/defaultStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/defaultStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 148, "payload_entropy": 5.3009961677443656, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6c9e44243628fafd80b97099fb901b82", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a3bf4e7b9f677b81203818a96b1160a9c68b3859", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/defaultStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/image.mpg RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/image.mpg RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/image.mpg RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.297743276775744, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d9d9f08452f283011a98d1998791c46e", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/image.mpg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/image.mpg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/image.mpg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/image.mpg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/image.mpg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0168f83532391782ba33d29ce1779958bf3fce79", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/image.mpg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/image.mpg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/image.mpg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/image.mpg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/stream/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/stream/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/stream/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 146, "payload_entropy": 5.284850330608607, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8b29fd4ba95bf1b97309c40d4f0023c3", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c502a211e4607db89f494655ac624903611b8f18", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsp_main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp_main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp_main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.295886287406653, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1f4aaec4a4d3b6142bf21465c3a6258f", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1bef3a12f5362a563933b834031691a2e5945d06", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/profile1/media.smp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: B Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/profile1/media.smp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: B Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/profile1/media.smp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 153, "payload_entropy": 5.298056327777426, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "07e73deeb5223d471431e63c030a21ff", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dac5101e7f5cd90c367fb0406905d2f3624fc7e0", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/mpg4/rtsp.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/mpg4/rtsp.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/mpg4/rtsp.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 148, "payload_entropy": 5.285694394051863, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8b32abfa5a15c8a903213a8aecece80b", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpg4\/rtsp.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpg4\/rtsp.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpg4\/rtsp.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpg4\/rtsp.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpg4\/rtsp.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9caae2dbc52976b728f0a9aae51c4aeb6961d56b", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpg4\/rtsp.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpg4\/rtsp.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpg4\/rtsp.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpg4\/rtsp.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/Streaming/Unicast/channels/101 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Auth Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/Streaming/Unicast/channels/101 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Auth Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/Streaming/Unicast/channels/101 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 165, "payload_entropy": 5.269937857875499, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b65517e846eec96959088db19ee223ed", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Unicast\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuth", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Unicast\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Unicast\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuth", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Unicast\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Unicast\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuth", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b37e03fe07769fa365698b116c7ae101ead78761", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Unicast\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuth", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Unicast\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuth", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Unicast\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuth", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Unicast\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuth", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/?inst=1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/?inst=1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/?inst=1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 142, "payload_entropy": 5.293612747915371, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5331c82dd202bfe339e02b5d061f96a6", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9c9b896bc44bd9fc77686ae87a3d9a15f76a45c8", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/cam1/mpeg4 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDA Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/cam1/mpeg4 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDA Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/cam1/mpeg4 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 145, "payload_entropy": 5.3068458600012365, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "02b94dd0885159a0542b5e569dcdda01", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam1\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam1\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam1\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam1\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam1\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6c736b5ba22ff4a5e114db033033a8f1bd03d9ad", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam1\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam1\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam1\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam1\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/ipcam.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/ipcam.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/ipcam.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.276934509953872, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "65665dbee32e7ec93d71acf29faf4fba", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "774104afb9c0f96cfaa5b1f65962459f4feb4828", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/?inst=2 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/?inst=2 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/?inst=2 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 142, "payload_entropy": 5.298928857085537, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f5236a4c6e80e4d70140b29adb9a998b", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c229a0c5aa4d27b62731ae7037de0344ab78813b", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/?inst=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/ipcam_h264.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/ipcam_h264.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/ipcam_h264.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 149, "payload_entropy": 5.330943565586326, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "46b6415777c30032f95623d199b43368", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam_h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam_h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam_h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam_h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam_h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "193a41810abdee7420caff36e730d1302584381c", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam_h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam_h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam_h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ipcam_h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 139, "payload_entropy": 5.2846606564005185, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "256c48279e363a9be9c7e6a6cbc1f659", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "72c3ae6d5a5fec12214ca115516ede7d646404a4", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsp_default RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp_default RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp_default RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 147, "payload_entropy": 5.303927556989817, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8cd81928c3ceef50b6d61c842cf30f91", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "62aaa529e6e97317f2ea04f7f3ad4cf82de7d84d", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/h264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/h264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/h264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 149, "payload_entropy": 5.311610783564607, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a02b949265dfe0614ff77a701f85e1d9", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0921ad63463bf8363a4d0666d38ac261dc8dc8db", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/ch1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/ch1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/ch1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 138, "payload_entropy": 5.280378628605129, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3a183d8a18f62dd41f437e933a0d4ea6", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aed50d4180786a418a1838af117fc5e0f8bd9490", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtpvideo1.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtpvideo1.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtpvideo1.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 148, "payload_entropy": 5.271397921747043, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "840b9fc2c701803c5783391cb41931a4", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtpvideo1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtpvideo1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtpvideo1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtpvideo1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtpvideo1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "91bf76ac66354353b1ce3862a5892e4c2a7075c9", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtpvideo1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtpvideo1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtpvideo1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtpvideo1.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/h265 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/h265 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/h265 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 149, "payload_entropy": 5.303254323847583, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "832fa1fd0d2152b7ff84ae95ebc742ea", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3490647931417dd96175d54b588c687296c0bdf5", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/h265 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/cam0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/cam0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/cam0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 139, "payload_entropy": 5.2902773402215715, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1c8b5450fb83b0f711abf56a6fb2c696", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "011c70e8480685112d88931901b65a77dd15b239", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/mjpeg RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basi Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/mjpeg RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basi Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/mjpeg RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 150, "payload_entropy": 5.308642878112436, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d66086e5c7fcb4604534c2e2447dcb80", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mjpeg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mjpeg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mjpeg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mjpeg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mjpeg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9b8dede74e6771659a9eb6787bb0d811355f3779", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mjpeg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mjpeg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mjpeg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/mjpeg RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/channels/0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/channels/0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/channels/0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 155, "payload_entropy": 5.279806945684353, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "15eb3558879b89a65ba6b8021bd009d6", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "96706fcdb1c330a0a231bf4fde8e29c1fbb3b90d", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 139, "payload_entropy": 5.256954070827692, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "56aded3815d64d8ebaa125753f7f44df", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "90eb6d781d0cab9d68e230df252fd557d9fa731d", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/default RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/default RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/default RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 142, "payload_entropy": 5.293612747915371, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7f7ebd077d5805082dba393d93fbd4c3", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a9d6bf076c82ffb9df480ac2a6471586dd01a925", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/default RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_tor_exit_probe rtsp_probe tor_exit_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/monitor/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 97% Confiance classification 97% Risque capteur Moyen · 49 Confiance : Confiance 97 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/monitor/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/monitor/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 147, "payload_entropy": 5.2883940950840165, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ede49e53004f29a4185d68116b64086c80bfc558", "event_fingerprint": "96ba8353a2e0c3ee9bf071a6762ce711536fe8ff", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%", "confidence": 0.97, "classification_confidence": 0.97, "precision_score": 110, "precision_signals": [ "pat-0382", "pat-0770" ], "kb_rule_ids": [ "pat-0382", "pat-0770" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 97, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7b9c3852a8b263b9c26bda8252638007", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5680a8c25792d2e0a57a2e9d450a25ba774ed05b", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 97, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_tor_exit_probe", "rtsp_probe", "tor_exit_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/vis RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/vis RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/vis RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 138, "payload_entropy": 5.2720797370998636, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7db481b35817695f76f4edecb4adb074", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/vis RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/vis RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/vis RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/vis RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/vis RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8bc4c0273433b66e2faea24c949a5d0f00715b8a", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/vis RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/vis RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/vis RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/vis RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/encoder/0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/encoder/0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/encoder/0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.271109922861719, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "961422a0e97a7bd630c97fe9e462637e", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/encoder\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/encoder\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/encoder\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/encoder\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/encoder\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "89108b7840e94b6e8046f08af1170126452ad0bb", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/encoder\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/encoder\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/encoder\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/encoder\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/ch0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/ch0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/ch0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 138, "payload_entropy": 5.280378628605129, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "56cc3d447d12ed73a2dfb1cd8a18c5b1", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a2c3b43e548e9ce9ca7b79f0dbf6e02cf419125a", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/wfov RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/wfov RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/wfov RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 139, "payload_entropy": 5.292181387030856, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cd3d67473a7d542f9550c79d1e1b46eb", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/wfov RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/wfov RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/wfov RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/wfov RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/wfov RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b9a6d848aac24ad5014ce9912d100c24d72b7555", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/wfov RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/wfov RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/wfov RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/wfov RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_tor_exit_probe rtsp_probe tor_exit_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/monitor/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 97% Confiance classification 97% Risque capteur Moyen · 49 Confiance : Confiance 97 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/monitor/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/monitor/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 147, "payload_entropy": 5.275468009846668, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ede49e53004f29a4185d68116b64086c80bfc558", "event_fingerprint": "96ba8353a2e0c3ee9bf071a6762ce711536fe8ff", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%", "confidence": 0.97, "classification_confidence": 0.97, "precision_score": 110, "precision_signals": [ "pat-0382", "pat-0770" ], "kb_rule_ids": [ "pat-0382", "pat-0770" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 97, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "84c806780625a622e6c6f72f2ff5aa1c", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9bbf0d05221ef960ea530863e8ae02a2af80d4cf", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 97, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/monitor\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_tor_exit_probe", "rtsp_probe", "tor_exit_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.284014718347301, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5d80a6064fdaae395c587ab6b468d6ba", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b024d2cebc6618bd91812ce56a4661dc180143b0", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/cgi-bin/stream.cgi RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: B Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/cgi-bin/stream.cgi RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: B Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/cgi-bin/stream.cgi RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 153, "payload_entropy": 5.297677102351651, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6656bbf54232c915f85496a0d8e6f6b8", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/stream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/stream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/stream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/stream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/stream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "091a20edd9d1122a10d17df74212398bf9062de0", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/stream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/stream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/stream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/stream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/cgi-bin/liveStream.cgi RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizatio Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/cgi-bin/liveStream.cgi RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizatio Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/cgi-bin/liveStream.cgi RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 157, "payload_entropy": 5.307992246735935, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7d529b8cc04ab402d862d73bebdeb1f3", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/liveStream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/liveStream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/liveStream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/liveStream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/liveStream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b3988284d709b232c1ae8120ace5e332edccffda", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/liveStream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/liveStream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/liveStream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cgi-bin\/liveStream.cgi RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsp/video RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDA Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/video RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDA Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/video RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 145, "payload_entropy": 5.266314501769609, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1fb8a0c77f25df7da766308f950e899b", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61f52d5ba1c2e1c2feb3277336b46a82919a5676", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/avn=2 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6 Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/avn=2 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6 Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/avn=2 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 140, "payload_entropy": 5.293105564523499, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "89c6fc1b0aaf01a9a947b83e0c73749c", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avn=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avn=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avn=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avn=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avn=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0782fb738dd6846dd879840faa5d68bb2c8eb1b3", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avn=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avn=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avn=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/avn=2 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/cam0_1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/cam0_1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/cam0_1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 141, "payload_entropy": 5.317287903321251, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "02fb2bd8a1600b23ea2fd6c200ef4873", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d70ee1b68db35d0f7860c5f838b5dbbb5945e5a2", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsp/camera RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/camera RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp/camera RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 146, "payload_entropy": 5.261145838354772, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "638953ec3bf5bde8f7b93cee692769c8", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d19e6a7bec504bfaf1d39d61753e0342c546fab", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp\/camera RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/multicaststream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basi Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/multicaststream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basi Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/multicaststream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 150, "payload_entropy": 5.276450068623702, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "eecb0a6954a204ab7b89ea04422c6ee4", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/multicaststream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/multicaststream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/multicaststream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/multicaststream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/multicaststream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3db4904e1bf2cd6a921042d094ad2ffae2678c85", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/multicaststream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/multicaststream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/multicaststream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/multicaststream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basi", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:48 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/VideoInput/1/h264/1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/VideoInput/1/h264/1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/VideoInput/1/h264/1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 154, "payload_entropy": 5.3245353243379405, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f1464286d23fb930f534c12dfec0b668", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/VideoInput\/1\/h264\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/VideoInput\/1\/h264\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/VideoInput\/1\/h264\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/VideoInput\/1\/h264\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/VideoInput\/1\/h264\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "290327f68f45533e4a2703927e368233795de5e0", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/VideoInput\/1\/h264\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/VideoInput\/1\/h264\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/VideoInput\/1\/h264\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/VideoInput\/1\/h264\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	rtsp rtsp · via RTSP:554 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Pourquoi cette classification : Type « rtsp » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "8e3f9e48f39b04739815fd1693b1af90d71a227f", "event_fingerprint": "f089fe7be3f172bb5e3847a38a4c2e2a5878053f", "classification_reason": "Type \u00ab rtsp \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6fb9e4f877fce8e8134bd958993fdfda" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 0 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cc4a69e3fd4749e6222d364c76dd8683de330cb8", "protocol_details": { "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab rtsp \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }

80.70.96.153

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence