Détails IP 80.70.96.153

Synthèse exécutive

Profil de menace

Score de risque 49/100 Moyen

Première observation 15/06/2026 11:27 UTC

Dernière observation 15/06/2026 11:27 UTC

Événements (période) 146

MITRE ATT&CK principal TA0007 146 occurrences

Activité suspecte · risque 49/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « rtsp_probe » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 8

Comparaison ASN / FAI

ASN 34351 · 80.70.96.0/20 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 146 événements sur la période pour cette IP.

94.243.11.199 Sonde port 23/TCP 17/06/2026 06:23 UTC
94.243.9.193 Sonde port 23/TCP 16/06/2026 09:57 UTC
94.243.8.68 Sonde port 23/TCP 15/06/2026 02:18 UTC
80.70.96.139 Sonde port 5903/TCP 14/06/2026 21:14 UTC
94.243.8.185 Sonde port 23/TCP 14/06/2026 14:39 UTC
94.243.15.44 Sonde port 23/TCP 07/06/2026 10:45 UTC
94.243.10.133 port attack 31/05/2026 08:01 UTC
94.243.13.21 web attack 28/05/2026 12:45 UTC

Événements (filtres)

146

Première observation

15/06/2026 11:27 UTC

Dernière observation

15/06/2026 11:27 UTC

Dernière activité (filtres)

15/06/2026 11:27 UTC

Événements 7j

146

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Géolocalisation

Origine réseau déclarée

Russie unknown unknown

FAI / réseau

Opérateur et dernière activité ban

MTS PJSC 0 Port 554 rtsp_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

rtsp probe · via RTSP:554 · (sonde / probe)

Détails protocole

Aperçu payload

DESCRIBE rtsp://62.3.50.33:554/rtsp/ipc RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM

Port / service

554 · RTSP

Service émulé

RTSP

Raison confiance

Confiance 100 % — Motif catalogue confirmé

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0382 pat-0770 Upstream

Confiance

100%

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

146 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

146 événement(s) — page 3/3

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/ RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwM Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/ RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwM Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/ RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 135, "payload_entropy": 5.270003772522842, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f78ebc47c559eacfbc59f866eae389d3", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwM", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwM", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwM", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "099e741b05fe8c77a4ef1660082e348534c6bde3", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwM", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwM", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/axis-media/media.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/axis-media/media.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/axis-media/media.amp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 155, "payload_entropy": 5.293745434998794, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e89361b42b8a2ab36f922276a506fe6e", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/axis-media\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/axis-media\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/axis-media\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/axis-media\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/axis-media\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "347b085feff4690325cdc74eb21fd0496b026ee1", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/axis-media\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/axis-media\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/axis-media\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/axis-media\/media.amp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/profile1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/profile1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/profile1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 143, "payload_entropy": 5.281727152559283, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e399bc7842f91cc3f4c38bccdad0f6c2", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "36dde57f20a794091ccbe8624b9fcbb28abcd489", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/Streaming/Channels/101 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizatio Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/Streaming/Channels/101 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizatio Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/Streaming/Channels/101 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 157, "payload_entropy": 5.295133925757196, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "663aabca2275d08403f631e3e7c75806", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "994372b4d9ec5af42b73e8822dbeb7e2e28b5372", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizatio", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/h264/ch1/main/av_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizati Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/h264/ch1/main/av_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorizati Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/h264/ch1/main/av_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 158, "payload_entropy": 5.327034113570485, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9ff720b99fe62e13c403034d02952d16", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "db86c64801baf36d99b1306ff64d80afa6429261", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorizati", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/media/video1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/media/video1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/media/video1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 147, "payload_entropy": 5.294731039683192, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "60f1b4d98adcb183c6a83e5b2d3ecb0f", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "51794eeb0a1910c961218493748377b5a4719077", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/media\/video1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/h264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/h264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/h264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 139, "payload_entropy": 5.301139030900182, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c41a92b49d9efce89e5f70fdcafc33db", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ec108a0831904580ebc9cb3dfd499c95fc2f7ec6", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/live/ch00_0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/live/ch00_0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/live/ch00_0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 146, "payload_entropy": 5.309353416452827, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "95a4c298020a9c30e3124e727dc720ae", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b2ca9a4857709c07ff7acf87d4a164cd9d83377a", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/videoMain RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/videoMain RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/videoMain RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.270125829458411, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "62341a25a91a234d124c1391647b25d0", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoMain RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoMain RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoMain RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoMain RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoMain RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "afe41253c934279346daf4218f01927be7fb1c24", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoMain RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoMain RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoMain RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoMain RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/channel1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/channel1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/channel1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 143, "payload_entropy": 5.281209432830983, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "586cf1b72a76ffff4a30eb7a1f4da69d", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c8e1def2bd4e9ec176ebea6d71b4a85f50c32a89", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/channel1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/stream1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMD Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/stream1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMD Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/stream1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 142, "payload_entropy": 5.28227725161652, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "14475054fd0e9846902374009659ae5b", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2861ce6b95f93967fb0a8f2e454333161df48b48", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMD", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/live.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/live.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/live.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 143, "payload_entropy": 5.281907792761819, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7d535d112f73adda4dd5d8a06ad0f568", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a1231f5575dc5b1478086f3bb0d2c3f068ff74f9", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/Streaming/Channels/1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/Streaming/Channels/1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/Streaming/Channels/1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 155, "payload_entropy": 5.289547429583237, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a601ab5ec75f5f8d5cd7c58a5da9ea19", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ff7b174870cf8f37da4943909263525bcf6515bc", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/video.mp4 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/video.mp4 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/video.mp4 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 144, "payload_entropy": 5.307534315207806, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1c042e940ffee73060f4cc4dba2a6296", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video.mp4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video.mp4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video.mp4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video.mp4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video.mp4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "65fccfa247eff5a6f35a87c09ca19d18835a46ae", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video.mp4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video.mp4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video.mp4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video.mp4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/h264Preview_01_main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/h264Preview_01_main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/h264Preview_01_main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 154, "payload_entropy": 5.364961054787178, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2ddbd8761eaa0929385e2f12e84b4d0c", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: ", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d88b835122661258f3f8365c18b0f8fbd29147a1", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_tor_exit_probe rtsp_probe tor_exit_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/cam/realmonitor?channel=1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authoriza Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 97% Confiance classification 97% Risque capteur Moyen · 49 Confiance : Confiance 97 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/cam/realmonitor?channel=1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authoriza Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/cam/realmonitor?channel=1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 160, "payload_entropy": 5.314142764847427, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ede49e53004f29a4185d68116b64086c80bfc558", "event_fingerprint": "96ba8353a2e0c3ee9bf071a6762ce711536fe8ff", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%", "confidence": 0.97, "classification_confidence": 0.97, "precision_score": 110, "precision_signals": [ "pat-0382", "pat-0770" ], "kb_rule_ids": [ "pat-0382", "pat-0770" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 97, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0cf4281c6c4f346ea19b58619c12edbb", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf37729376c4e0132ac79c13af854dc73d6f14bd", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 97, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_tor_exit_probe", "rtsp_probe", "tor_exit_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 139, "payload_entropy": 5.281319696352243, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c60ed5dd1682e124b2293b7dd5ab3cc", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9cb2387941695a7839962b0f58548c10b1ef3cc4", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/h264.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/h264.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/h264.sdp RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 143, "payload_entropy": 5.301172740329397, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b0a605f0634ccdd4c67d5da81dba3c87", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "14c8e416b4c283caa4d10ee06f20d2d55a4d982b", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264.sdp RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/video RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6 Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/video RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6 Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/video RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 140, "payload_entropy": 5.281608132563235, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3c02cf97f882dac6eeb382b093349ba5", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2a851cfc0d676e52878d6c7a5072ab1c347137f6", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ], "behavior_alert_count": 1, "behavior_priority": 84 }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/stream/video RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/stream/video RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/stream/video RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 147, "payload_entropy": 5.285581529697163, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d649a478eefeb17709091abaaf443084", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "944ecfe371428ea015990740e497da7447e86f6c", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/video RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtspfeed RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtspfeed RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtspfeed RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 143, "payload_entropy": 5.26947995028996, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "409c52315fccdb8f6413caeadd7a5bd5", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c10ba86d7805550d837c969889d38aecd2a13b89", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspfeed RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/mpeg4 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6 Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/mpeg4 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6 Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/mpeg4 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 140, "payload_entropy": 5.304787507547783, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4eb149b19f6dc18f4739208c88261e49", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "52e029f89b59b1cb68a79d6e8cf21240e2d2a081", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/mpeg4 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/h264Preview_01_sub RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: B Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/h264Preview_01_sub RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: B Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/h264Preview_01_sub RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 153, "payload_entropy": 5.380238765395767, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8fa40c31988443bddaea4f7834b497d4", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_sub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_sub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_sub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_sub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_sub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ed64bfa6f7867be9b3e7f7dcdb8153fbfe979fa0", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_sub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_sub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_sub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/h264Preview_01_sub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: B", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/11 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDA Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/11 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDA Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/11 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 137, "payload_entropy": 5.2738014529511865, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "49553ce59b305daa66babe38941510c2", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d76f57c6bf9077feb1c1318b2b520b8ae161b472", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/ch0_0.h264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDA Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/ch0_0.h264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDA Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/ch0_0.h264 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 145, "payload_entropy": 5.327159764053008, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6fdf71c67a5a0118fbec39ebc92d0ca8", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4cd64581e0a707f173a0b8e1b31bf656da51ff5a", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ch0_0.h264 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/videoSub RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/videoSub RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/videoSub RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 143, "payload_entropy": 5.314279754182034, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c17305031b1a2618d687e4266b644908", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoSub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoSub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoSub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoSub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoSub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0f21559ec858fd2f4b8eab640a96145ce535724c", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoSub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoSub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoSub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/videoSub RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/onvif1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/onvif1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/onvif1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 141, "payload_entropy": 5.288027640774636, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e7bdf78a621d83261e373547077b6349", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "43dcd3574f2493462ebb3c26da251f23bd31fa99", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/stream/cam RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDA Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/stream/cam RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDA Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/stream/cam RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 145, "payload_entropy": 5.275927585240048, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "08672f908a883430b568ed65d6b9ace6", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a10c8c1d8d4c6dd3eff78d3f8b1113cf3b437029", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/stream\/cam RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/MPEG-4/ch1/main/av_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authoriza Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/MPEG-4/ch1/main/av_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authoriza Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/MPEG-4/ch1/main/av_stream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 160, "payload_entropy": 5.3520485871366175, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e51f8ed91fc6227302e98f9f87abb247", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/MPEG-4\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/MPEG-4\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/MPEG-4\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/MPEG-4\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/MPEG-4\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b3ee3bd366df6dadefb42422819e6164e65bfa44", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/MPEG-4\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/MPEG-4\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/MPEG-4\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/MPEG-4\/ch1\/main\/av_stream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthoriza", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/live/ch0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/live/ch0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwM Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/live/ch0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 143, "payload_entropy": 5.287885086274221, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "01d13efbea24cfbd2cab475c7b850ebc", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "80a142ba115fdb194947c4dc22cbd4d9b07627d8", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/live\/ch0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwM", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/cam0_0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/cam0_0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/cam0_0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 141, "payload_entropy": 5.313811130302294, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "81ed6ea5283b13c93dbe8d7f49efacc3", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "50812cd5aca198c1d84526bd25ffe53f230f7eda", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/cam0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/live RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 149, "payload_entropy": 5.2895506729753246, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad8601bc677899fe22333877da490d19", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c2b3374c0b8cca1e2ac069da5f0a00edaa1d2e02", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/live RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 136, "payload_entropy": 5.2736798720338465, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f2f4bd566ad22dea162b4e86dfd30b01", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "418a20ea30c1c430df23ba8243b03a2aba544d89", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/ISAPI/Streaming/channels/101 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Author Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/ISAPI/Streaming/channels/101 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Author Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/ISAPI/Streaming/channels/101 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 163, "payload_entropy": 5.300656109616524, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c5cb84fce74aea782902ef4662ef38db", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ISAPI\/Streaming\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ISAPI\/Streaming\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ISAPI\/Streaming\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ISAPI\/Streaming\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ISAPI\/Streaming\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "06a378758b8ec75a823214093fc6befdc82d10f4", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ISAPI\/Streaming\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ISAPI\/Streaming\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ISAPI\/Streaming\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/ISAPI\/Streaming\/channels\/101 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/main RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 149, "payload_entropy": 5.277126408581883, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3109647c17cddaa17b299f90ce5312c2", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d22f209bfa3415d513683fc4fe7af89d02ef3a6", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/main RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/av0_0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6 Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/av0_0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6 Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/av0_0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 140, "payload_entropy": 5.301999225222332, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "25b5e89cbe1294f71035eaa7e294115b", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e305ad481918f89f68c9b8ec4846e3a662a13c59", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAw Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAw Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 136, "payload_entropy": 5.2736798720338465, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "be88e2a4d3142427aa7699fa38bb6218", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eb459fa94bef3e3a0d099c8d438c36b098578f06", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAw", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/onvif-media/media.amp?profile=profile1_quality1 RTSP/1.0 CSeq: 1 Accept: application/sdp User- Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/onvif-media/media.amp?profile=profile1_quality1 RTSP/1.0 CSeq: 1 Accept: application/sdp User- Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/onvif-media/media.amp?profile=profile1_quality1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 182, "payload_entropy": 5.366642111973626, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0b8c7dedbc7c5bcb3a6bf75497963bd6", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif-media\/media.amp?profile=profile1_quality1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif-media\/media.amp?profile=profile1_quality1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif-media\/media.amp?profile=profile1_quality1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif-media\/media.amp?profile=profile1_quality1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif-media\/media.amp?profile=profile1_quality1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ba286aa26a89613c5d3e11c1d0414b74c392d1f1", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif-media\/media.amp?profile=profile1_quality1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif-media\/media.amp?profile=profile1_quality1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif-media\/media.amp?profile=profile1_quality1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/onvif-media\/media.amp?profile=profile1_quality1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/unique_stream_id RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Bas Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/unique_stream_id RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Bas Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/unique_stream_id RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 151, "payload_entropy": 5.328684128412413, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2ddc086fec4da8230612ffec455ae9df", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/unique_stream_id RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/unique_stream_id RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/unique_stream_id RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/unique_stream_id RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/unique_stream_id RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3da7aeac3d6d23ed0454462d628eba5279dced70", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/unique_stream_id RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/unique_stream_id RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/unique_stream_id RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/unique_stream_id RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Bas", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/channels/1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/channels/1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/channels/1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 155, "payload_entropy": 5.279806945684353, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "52f0eaaa9f89dbc6ea950ebe5f330bc8", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eff14c78ffd3c150e0dd8f28c2b2427cbf2e25b5", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/channels\/1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_tor_exit_probe rtsp_probe tor_exit_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/realmonitor?channel=1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 97% Confiance classification 97% Risque capteur Moyen · 49 Confiance : Confiance 97 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/realmonitor?channel=1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/realmonitor?channel=1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 156, "payload_entropy": 5.31683255090704, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ede49e53004f29a4185d68116b64086c80bfc558", "event_fingerprint": "96ba8353a2e0c3ee9bf071a6762ce711536fe8ff", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%", "confidence": 0.97, "classification_confidence": 0.97, "precision_score": 110, "precision_signals": [ "pat-0382", "pat-0770" ], "kb_rule_ids": [ "pat-0382", "pat-0770" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 97, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "947838a5d1292f72155543a5dd9bdf74", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "af87cfb8d173116415b5cfc7bb4479525172a313", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 97, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/realmonitor?channel=1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_tor_exit_probe", "rtsp_probe", "tor_exit_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/streaming/liveStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/liveStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/streaming/liveStream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 155, "payload_entropy": 5.282577652412553, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "433b79866b823bf6a9d6c317c8e535b0", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/liveStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/liveStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/liveStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/liveStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/liveStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "85736321bb326224177be437fc229911950b456f", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/liveStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/liveStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/liveStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/streaming\/liveStream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization:", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtspstream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDA Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtspstream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDA Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtspstream RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 145, "payload_entropy": 5.261396960237217, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "429875ea82d183ee1e675c932625a1c9", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "209a071acf57398a1b473b23a1d3d181d0589484", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtspstream RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDA", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ], "behavior_alert_count": 2, "behavior_priority": 72 }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/liveRTSP/av1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/liveRTSP/av1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic M Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/liveRTSP/av1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 147, "payload_entropy": 5.3034858456546425, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d24b2210f40cb974e32f665906dd27c4", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/liveRTSP\/av1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/liveRTSP\/av1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/liveRTSP\/av1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/liveRTSP\/av1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/liveRTSP\/av1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9986496a561556871fd70f879fd3e2bc39538f20", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/liveRTSP\/av1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/liveRTSP\/av1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/liveRTSP\/av1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/liveRTSP\/av1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic M", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/c0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDA Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/c0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDA Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/c0 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 137, "payload_entropy": 5.27114066480082, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bd035d57a7c0d57cd3e57323d49ba7b6", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/c0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/c0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/c0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/c0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/c0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "447959e29740dc3a8c0ed9f5c55f59a30c42ee57", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/c0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/c0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/c0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/c0 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDA", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 11:27:47 UTC	TCP	554 · RTSP	rtsp	Sonde RTSP rtsp probe · via RTSP:554 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 554 Chemin / cible — Service RTSP Payload DESCRIBE rtsp://62.3.50.33:554/rtsp_tunnel?profile=Profile1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Author Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 49 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 pat-0770 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Cred Basic auth spray LFI Double-dot bypass RTSP protocol RTSP DESCRIBE User-Agent — Règles WAF — Payload (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp_tunnel?profile=Profile1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Author Requête brute (extrait) DESCRIBE rtsp://62.3.50.33:554/rtsp_tunnel?profile=Profile1 RTSP/1.0 CSeq: 1 Accept: application/sdp User-Agent: Lavf Authorization: Basic MDAwMDA6MDAwMDA= Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 163, "payload_entropy": 5.325852064373644, "port_category": "well_known", "org": "MTS PJSC", "service": "rtsp", "app_proto": "rtsp", "asn": 34351, "country": "RU", "dst_port": 554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 49, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c612347518e049ce96c448df76dc171f725494ef", "event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0382", "pat-0770", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "pat-0770", "INT-upstream" ], "matched_patterns": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "matched_pattern_names": [ "Cred Basic auth spray", "LFI Double-dot bypass", "RTSP protocol", "RTSP DESCRIBE" ], "pattern_ids": [ "pat-0463", "pat-0103", "pat-0382", "pat-0770" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "rtsp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "RU", "asn": 34351, "org": "MTS PJSC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "899af8370472eeb2d6c8a47e1a1c42ec", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 554, "service": "rtsp", "service_name": "rtsp", "risk_score": 49 }, "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_tunnel?profile=Profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_tunnel?profile=Profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_tunnel?profile=Profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "evidence": { "request_sample": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_tunnel?profile=Profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthorization: Basic MDAwMDA6MDAwMDA=\r\n\r\n", "payload_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_tunnel?profile=Profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bec4e2f2b51bb84883e8e2b70bdf9414cbc5cfbc", "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_tunnel?profile=Profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_tunnel?profile=Profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "rtsp", "service_label_fr": "RTSP", "dst_port": 554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "pat-0770", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "pat-0770", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_tunnel?profile=Profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "port": 554, "service": "rtsp", "service_label_fr": "RTSP" }, "attack_vector": "rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)", "evidence_snippet": "DESCRIBE rtsp:\/\/62.3.50.33:554\/rtsp_tunnel?profile=Profile1 RTSP\/1.0\r\nCSeq: 1\r\nAccept: application\/sdp\r\nUser-Agent: Lavf\r\nAuthor", "target_port_label": "554 \u00b7 RTSP", "emulator_service": "rtsp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp", "service_banner": "honeypot-rtsp", "service_os": "linux", "dst_port": "554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }

80.70.96.153

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence