|
|
TCP |
10443 · HTTPS
|
https
|
Scan de ports
port scan syn · via HTTPS:10443 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
HTTPS
WAF
—
Recommandation
Surveiller
Tags
http_alt_port
net_web_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10443
Chemin / cible
—
Service
HTTPS
Payload
������������'q"���)��������>���D�P��ߒ��� �����Olg�D)�)to�1���'����ʺ��`��&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������'q"���)��������>���D�P��ߒ��� �����Olg�D)�)to�1���'����ʺ��`��&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
������������'q"���)��������>���D�P��ߒ��� �����Olg�D)�)to�1���'����ʺ��`��&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� d����h����.�e-��b*�+���7�X�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 261,
"payload_entropy": 5.928315499844018,
"port_category": "registered",
"org": "OVH SAS",
"service": "https",
"app_proto": "https",
"asn": 16276,
"country": "RU",
"dst_port": 10443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "bf82ed4958219b6801f74213ab3f101ded76679b",
"event_fingerprint": "0ce879e35222bcf244eb8071cb051f2e9c4aa580",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "https",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "96366e6e3c6c337352f0b7c76d57575c",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 10443,
"service": "https",
"service_name": "https",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'q\"\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffdD\u000eP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd'\u000e\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'q\"\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffdD\u000eP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd'\u000e\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 d\u001c\ufffd\ufffd\ufffdh\u0002\ufffd\u0011\ufffd.\ufffde-\ufffd\ufffdb*\ufffd+\u001e\ufffd\ufffd7\u0018X\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'q\"\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffdD\u000eP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd'\u000e\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d792bd0c07ec80982d77bee35f7aa6fa8ee1d1de",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'q\"\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffdD\u000eP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd'\u000e\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 10443,
"service": "https",
"service_label_fr": "HTTPS"
},
"evidence_snippet": "\ufffd\ufffd'q\"\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffdDP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "port scan syn \u00b7 via HTTPS:10443 \u00b7 (reconnaissance)",
"target_port_label": "10443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (12 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "https",
"service_label_fr": "HTTPS",
"dst_port": 10443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-https",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'q\"\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffdD\u000eP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd'\u000e\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 10443,
"service": "https",
"service_label_fr": "HTTPS"
},
"attack_vector": "port scan syn \u00b7 via HTTPS:10443 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd'q\"\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffdDP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "10443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "https",
"service_banner": "honeypot-https",
"service_os": "linux",
"dst_port": "10443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 5,
"port_scan_ports_sample": [
2087,
2096,
6443,
8081,
10443
],
"multi_protocol_correlation": true,
"multi_protocol_count": 12,
"multi_protocol_sample": [
"aws-ecs-agent",
"cloudflare-tunnel",
"cpanel-ssl",
"cpanel-whm",
"http",
"http-alt-8081",
"https",
"k8s-api"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_alt_port",
"net_web_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
6443 · K8S API
|
k8s-api
|
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Surveiller
Tags
k8s_api_emulated
k8s_api_payload
kubernetes_probe
net_kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
�������������a�[ѣ�U��A��b�lBz(�b�+}��^ ����;nP{"��/����ê�N��h srݜ4�l��&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 5 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������a�[ѣ�U��A��b�lBz(�b�+}��^ ����;nP{"��/����ê�N��h�srݜ4�l��&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
�������������a�[ѣ�U��A��b�lBz(�b�+}��^ ����;nP{"��/����ê�N��h srݜ4�l��&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� ��IC���w��I� F���wƠ��~����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "15030300020228",
"emulator_response_len": 7,
"bytes_in": 261,
"payload_entropy": 5.907300195817607,
"port_category": "registered",
"org": "OVH SAS",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 16276,
"country": "RU",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 25
},
"risk_score": 42,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "5f70a73a5934201c2e00970f23615f0b69d2ca8a",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9c42012187c07f389cacfea5e514227f",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffd\u0019A\ufffd\ufffdb\ufffdlBz(\u001fb\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\u001f\ufffd;nP{\"\ufffd\ufffd\/\ufffd\ufffd\u0003\ufffd\u00ea\u0013N\u001b\u0010h\fsr\u075c4\u0004l\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffd\u0019A\ufffd\ufffdb\ufffdlBz(\u001fb\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\u001f\ufffd;nP{\"\ufffd\ufffd\/\ufffd\ufffd\u0003\ufffd\u00ea\u0013N\u001b\u0010h\fsr\u075c4\u0004l\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdIC\ufffd\ufffd\ufffdw\ufffd\ufffdI\ufffd\u000bF\ufffd\u0010\ufffdw\u01a0\ufffd\ufffd~\u001b\ufffd\ufffd\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffd\u0019A\ufffd\ufffdb\ufffdlBz(\u001fb\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\u001f\ufffd;nP{\"\ufffd\ufffd\/\ufffd\ufffd\u0003\ufffd\u00ea\u0013N\u001b\u0010h\fsr\u075c4\u0004l\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "27aaff474890083e67a757dfce6664d270666f20",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffd\u0019A\ufffd\ufffdb\ufffdlBz(\u001fb\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\u001f\ufffd;nP{\"\ufffd\ufffd\/\ufffd\ufffd\u0003\ufffd\u00ea\u0013N\u001b\u0010h\fsr\u075c4\u0004l\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "\ufffd\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffdA\ufffd\ufffdb\ufffdlBz(b\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\ufffd;nP{\"\ufffd\ufffd\/\ufffd\ufffd\ufffd\u00eaNhsr\u075c4l\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (12 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffd\u0019A\ufffd\ufffdb\ufffdlBz(\u001fb\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\u001f\ufffd;nP{\"\ufffd\ufffd\/\ufffd\ufffd\u0003\ufffd\u00ea\u0013N\u001b\u0010h\fsr\u075c4\u0004l\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffdA\ufffd\ufffdb\ufffdlBz(b\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\ufffd;nP{\"\ufffd\ufffd\/\ufffd\ufffd\ufffd\u00eaNhsr\u075c4l\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 5,
"port_scan_ports_sample": [
2083,
2087,
2096,
6443,
8081
],
"multi_protocol_correlation": true,
"multi_protocol_count": 12,
"multi_protocol_sample": [
"aws-ecs-agent",
"cloudflare-tunnel",
"cpanel-ssl",
"cpanel-whm",
"http",
"http-alt-8081",
"https",
"k8s-api"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"net_kubernetes_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
2096 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:2096 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 7c1e207beb00684b
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2096
Chemin / cible
—
Service
TLS
Payload
�����������Z�[A̵G��ٷ7͓Z�1,����[�$g��eD� dQ�I��s�-@�%sAEt `>���� �oE �T��&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������Z�[A̵G��ٷ7͓Z�1,����[�$g��eD� dQ�I��s�-@�%sAEt `>����
�oE �T��&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
�����������Z�[A̵G��ٷ7͓Z�1,����[�$g��eD� dQ�I��s�-@�%sAEt `>���� �oE �T��&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� ,�#Q�����V 5'j|���i[�m,;�fe
Meta JSON brut
{
"tls_ja3_hash": "7c1e207beb00684bbbe144f1b0abe1d5",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"tls_alpn": [
"h2",
"http\/1.1"
],
"bytes_in": 261,
"payload_entropy": 5.838062849031519,
"port_category": "registered",
"org": "OVH SAS",
"service": "tls",
"app_proto": "tls",
"asn": 16276,
"country": "RU",
"dst_port": 2096,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "034adfd45be9e71e735b20823d30b888ab377efc",
"event_fingerprint": "7b1496833d082bfb3e405ae43288c139caf2bde9",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"payload_hash": "0a0301084513022b2e9193059a4965f6",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 2096,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z\u001b1,\u001f\ufffd\b\ufffd[\u0007$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@\u0012%sAEt\t`>\ufffd\ufffd\ufffd\ufffd\r\ufffdoE \ufffdT\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z\u001b1,\u001f\ufffd\b\ufffd[\u0007$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@\u0012%sAEt\t`>\ufffd\ufffd\ufffd\ufffd\r\ufffdoE \ufffdT\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 ,\ufffd#Q\ufffd\ufffd\ufffd\ufffd\u001bV\r5'j|\ufffd\ufffd\ufffdi[\u0004m,;\ufffdfe",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z\u001b1,\u001f\ufffd\b\ufffd[\u0007$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@\u0012%sAEt\t`>\ufffd\ufffd\ufffd\ufffd\r\ufffdoE \ufffdT\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e678f1324aa0f3f3ee444898728eb59f77a9e188",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z\u001b1,\u001f\ufffd\b\ufffd[\u0007$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@\u0012%sAEt\t`>\ufffd\ufffd\ufffd\ufffd\r\ufffdoE \ufffdT\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"port": 2096,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffdZ\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z1,\ufffd\ufffd[$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@%sAEt\t`>\ufffd\ufffd\ufffd\ufffd\r\ufffdoE \ufffdT\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "port scan syn \u00b7 via TLS:2096 \u00b7 (reconnaissance)",
"target_port_label": "2096 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (11 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 2096,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z\u001b1,\u001f\ufffd\b\ufffd[\u0007$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@\u0012%sAEt\t`>\ufffd\ufffd\ufffd\ufffd\r\ufffdoE \ufffdT\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"port": 2096,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:2096 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffdZ\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z1,\ufffd\ufffd[$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@%sAEt\t`>\ufffd\ufffd\ufffd\ufffd\r\ufffdoE \ufffdT\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "2096 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "2096"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 4,
"port_scan_ports_sample": [
2083,
2087,
2096,
8081
],
"multi_protocol_correlation": true,
"multi_protocol_count": 11,
"multi_protocol_sample": [
"aws-ecs-agent",
"cloudflare-tunnel",
"cpanel-ssl",
"cpanel-whm",
"http",
"http-alt-8081",
"https",
"kdm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8081 · HTTP ALT 8081
|
http-alt-8081
|
Scan de ports
port scan syn · via HTTP ALT 8081:8081 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
HTTP-ALT-8081
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8081
Chemin / cible
—
Service
HTTP ALT 8081
Payload
�������������g2c�M:����] x�:m�;9dp5@l����W� ʅP2��03�Q>̈�L����p�`�O{=Z�r�:-�&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 1 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������g2c�M:����]
x�:m�;9dp5@l����W� ʅP2��03�Q>̈�L����p�`�O{=Z�r�:-�&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
�������������g2c�M:����] x�:m�;9dp5@l����W� ʅP2��03�Q>̈�L����p�`�O{=Z�r�:-�&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� �E*��S��E ^8�P��Y�����t�-
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 261,
"payload_entropy": 5.875202670922491,
"port_category": "registered",
"org": "OVH SAS",
"service": "http-alt-8081",
"app_proto": "http-alt-8081",
"asn": 16276,
"country": "RU",
"dst_port": 8081,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.7,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "929e68b705f9838a7da7b1cddb73ebe75654e59f",
"event_fingerprint": "1023f61ccc055c445b71c912dbddfda91b08657e",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "http-alt-8081",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6e38891a7f116e809c951d8ed649ee87",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 8081,
"service": "http-alt-8081",
"service_name": "http-alt-8081",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u0012\u0018g2c\u001aM:\ufffd\u001e\ufffd\ufffd]\nx\ufffd:m\ufffd;9dp5@l\ufffd\u001e\ufffd\ufffdW\ufffd \u0285P2\ufffd\u001803\ufffdQ>\u0308\u0004L\ufffd\ufffd\ufffd\ufffdp\ufffd`\u0012O{=Z\u0007r\ufffd:-\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u0012\u0018g2c\u001aM:\ufffd\u001e\ufffd\ufffd]\nx\ufffd:m\ufffd;9dp5@l\ufffd\u001e\ufffd\ufffdW\ufffd \u0285P2\ufffd\u001803\ufffdQ>\u0308\u0004L\ufffd\ufffd\ufffd\ufffdp\ufffd`\u0012O{=Z\u0007r\ufffd:-\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdE*\ufffd\ufffdS\ufffd\u0007E\n^8\ufffdP\u0007\ufffdY\u0018\ufffd\u000f\ufffd\ufffdt\ufffd-",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u0012\u0018g2c\u001aM:\ufffd\u001e\ufffd\ufffd]\nx\ufffd:m\ufffd;9dp5@l\ufffd\u001e\ufffd\ufffdW\ufffd \u0285P2\ufffd\u001803\ufffdQ>\u0308\u0004L\ufffd\ufffd\ufffd\ufffdp\ufffd`\u0012O{=Z\u0007r\ufffd:-\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4d72a238f262a001b99f193fb2c7adf0bfd30cda",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u0012\u0018g2c\u001aM:\ufffd\u001e\ufffd\ufffd]\nx\ufffd:m\ufffd;9dp5@l\ufffd\u001e\ufffd\ufffdW\ufffd \u0285P2\ufffd\u001803\ufffdQ>\u0308\u0004L\ufffd\ufffd\ufffd\ufffdp\ufffd`\u0012O{=Z\u0007r\ufffd:-\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 8081,
"service": "http-alt-8081",
"service_label_fr": "HTTP ALT 8081"
},
"evidence_snippet": "\ufffdg2cM:\ufffd\ufffd\ufffd]\nx\ufffd:m\ufffd;9dp5@l\ufffd\ufffd\ufffdW\ufffd \u0285P2\ufffd03\ufffdQ>\u0308L\ufffd\ufffd\ufffd\ufffdp\ufffd`O{=Zr\ufffd:-&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)",
"target_port_label": "8081 \u00b7 HTTP ALT 8081",
"emulator_service": "http-alt-8081",
"confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8081 \u2014 multi-protocole (10 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8081",
"service_label_fr": "HTTP ALT 8081",
"dst_port": 8081,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8081",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u0012\u0018g2c\u001aM:\ufffd\u001e\ufffd\ufffd]\nx\ufffd:m\ufffd;9dp5@l\ufffd\u001e\ufffd\ufffdW\ufffd \u0285P2\ufffd\u001803\ufffdQ>\u0308\u0004L\ufffd\ufffd\ufffd\ufffdp\ufffd`\u0012O{=Z\u0007r\ufffd:-\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 8081,
"service": "http-alt-8081",
"service_label_fr": "HTTP ALT 8081"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffdg2cM:\ufffd\ufffd\ufffd]\nx\ufffd:m\ufffd;9dp5@l\ufffd\ufffd\ufffdW\ufffd \u0285P2\ufffd03\ufffdQ>\u0308L\ufffd\ufffd\ufffd\ufffdp\ufffd`O{=Zr\ufffd:-&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "8081 \u00b7 HTTP ALT 8081",
"emulator_service": "http-alt-8081",
"confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8081",
"service_banner": "honeypot-http-alt-8081",
"service_os": "linux",
"dst_port": "8081"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 4,
"port_scan_ports_sample": [
2083,
2087,
8080,
8081
],
"multi_protocol_correlation": true,
"multi_protocol_count": 10,
"multi_protocol_sample": [
"aws-ecs-agent",
"cloudflare-tunnel",
"cpanel-ssl",
"cpanel-whm",
"http",
"http-alt-8081",
"https",
"kdm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
2087 · CPANEL WHM
|
cpanel-whm
|
Scan de ports
port scan syn · via CPANEL WHM:2087 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
CPANEL-WHM
WAF
—
Recommandation
Surveiller
Tags
cpanel_whm_emulated
cpanel_whm_payload
net_cpanel_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2087
Chemin / cible
—
Service
CPANEL WHM
Payload
�����������/ٟ�(�ə��6|��yj���y`���p� �c �� C�� I�p�*4������ ���U��j����ʍ�k�&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������/ٟ�(�ə��6|��yj���y`���p���c
�� C��
I�p�*4������
���U��j����ʍ�k�&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
�����������/ٟ�(�ə��6|��yj���y`���p� �c �� C�� I�p�*4������ ���U��j����ʍ�k�&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� wK���y��IHB�q��>��n��=w��ob
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"bytes_in": 261,
"payload_entropy": 5.861017838574273,
"port_category": "registered",
"org": "OVH SAS",
"service": "cpanel-whm",
"app_proto": "cpanel-whm",
"asn": 16276,
"country": "RU",
"dst_port": 2087,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "51584d32aeb6bcba72953119cc78a0e0836a8f64",
"event_fingerprint": "bd94c1be47794e5b05816ea1bc287e14296ba082",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "cpanel-whm",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5751c075db09a6b139a586111608757c",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 2087,
"service": "cpanel-whm",
"service_name": "cpanel-whm",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\/\u065f\ufffd(\ufffd\u0259\ufffd\u000f6|\ufffd\ufffdyj\b\ufffd\ufffdy`\ufffd\ufffd\ufffdp\u0012\f\u0000c\n\ufffd\ufffd C\ufffd\ufffd\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\u001fU\ufffd\u000fj\ufffd\u0003\ufffd\ufffd\u028d\ufffdk\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\/\u065f\ufffd(\ufffd\u0259\ufffd\u000f6|\ufffd\ufffdyj\b\ufffd\ufffdy`\ufffd\ufffd\ufffdp\u0012\f\u0000c\n\ufffd\ufffd C\ufffd\ufffd\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\u001fU\ufffd\u000fj\ufffd\u0003\ufffd\ufffd\u028d\ufffdk\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 wK\u001d\ufffd\ufffdy\ufffd\ufffdIHB\u0012q\u001d\ufffd>\ufffd\u0007n\ufffd\ufffd=w\ufffd\ufffdob",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\/\u065f\ufffd(\ufffd\u0259\ufffd\u000f6|\ufffd\ufffdyj\b\ufffd\ufffdy`\ufffd\ufffd\ufffdp\u0012\f\u0000c\n\ufffd\ufffd C\ufffd\ufffd\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\u001fU\ufffd\u000fj\ufffd\u0003\ufffd\ufffd\u028d\ufffdk\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d94745a637ea3108c1cb219caae1f03c1ffed2b7",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\/\u065f\ufffd(\ufffd\u0259\ufffd\u000f6|\ufffd\ufffdyj\b\ufffd\ufffdy`\ufffd\ufffd\ufffdp\u0012\f\u0000c\n\ufffd\ufffd C\ufffd\ufffd\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\u001fU\ufffd\u000fj\ufffd\u0003\ufffd\ufffd\u028d\ufffdk\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 2087,
"service": "cpanel-whm",
"service_label_fr": "CPANEL WHM"
},
"evidence_snippet": "\ufffd\/\u065f\ufffd(\ufffd\u0259\ufffd6|\ufffd\ufffdyj\ufffd\ufffdy`\ufffd\ufffd\ufffdpc\n\ufffd\ufffd C\ufffd\ufffd\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffdU\ufffdj\ufffd\ufffd\ufffd\u028d\ufffdk&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)",
"target_port_label": "2087 \u00b7 CPANEL WHM",
"emulator_service": "cpanel-whm",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CPANEL WHM \u2014 multi-protocole (9 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "cpanel-whm",
"service_label_fr": "CPANEL WHM",
"dst_port": 2087,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel-whm",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\/\u065f\ufffd(\ufffd\u0259\ufffd\u000f6|\ufffd\ufffdyj\b\ufffd\ufffdy`\ufffd\ufffd\ufffdp\u0012\f\u0000c\n\ufffd\ufffd C\ufffd\ufffd\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\u001fU\ufffd\u000fj\ufffd\u0003\ufffd\ufffd\u028d\ufffdk\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 2087,
"service": "cpanel-whm",
"service_label_fr": "CPANEL WHM"
},
"attack_vector": "port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\/\u065f\ufffd(\ufffd\u0259\ufffd6|\ufffd\ufffdyj\ufffd\ufffdy`\ufffd\ufffd\ufffdpc\n\ufffd\ufffd C\ufffd\ufffd\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffdU\ufffdj\ufffd\ufffd\ufffd\u028d\ufffdk&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "2087 \u00b7 CPANEL WHM",
"emulator_service": "cpanel-whm",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel_whm",
"service_banner": "honeypot-cpanel-whm",
"service_os": "linux",
"dst_port": "2087"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 4,
"port_scan_ports_sample": [
2083,
2087,
8080,
9443
],
"multi_protocol_correlation": true,
"multi_protocol_count": 9,
"multi_protocol_sample": [
"aws-ecs-agent",
"cloudflare-tunnel",
"cpanel-ssl",
"cpanel-whm",
"http",
"https",
"kdm",
"quic-http3-stub"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_whm_emulated",
"cpanel_whm_payload",
"net_cpanel_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
2083 · CPANEL SSL
|
cpanel-ssl
|
Scan de ports
port scan syn · via CPANEL SSL:2083 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
CPANEL-SSL
WAF
—
Recommandation
Surveiller
Tags
cpanel_ssl_emulated
net_cpanel_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2083
Chemin / cible
—
Service
CPANEL SSL
Payload
������������u��>3�zÅ}7L���/�{�8��ԉ4����� ���a/���C��|������K ���JAR!�����&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������u��>3�zÅ}7L���/�{�8��ԉ4����� ���a/���C��|������K
���JAR!�����&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
������������u��>3�zÅ}7L���/�{�8��ԉ4����� ���a/���C��|������K ���JAR!�����&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� ��Pir������ ��%| �O^$��N��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"bytes_in": 261,
"payload_entropy": 5.933219924045358,
"port_category": "registered",
"org": "OVH SAS",
"service": "cpanel-ssl",
"app_proto": "cpanel-ssl",
"asn": 16276,
"country": "RU",
"dst_port": 2083,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "4cc54c7fcd5f1e5ebb94393f5b67f30e90170090",
"event_fingerprint": "80d2812b66b9080b0842670f25ce9d4d3386dae1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "cpanel-ssl",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c15efe199fbbd0c10b30123c9881afef",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 2083,
"service": "cpanel-ssl",
"service_name": "cpanel-ssl",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdu\ufffd\u001a>3\u001bz\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\u0011\ufffd\u05094\ufffd\ufffd\u001f\u0005\u0010 \u000f\ufffd\ufffda\/\ufffd\u001f\ufffdC\u0005\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\n\ufffd\ufffd\ufffdJAR!\ufffd\u0005\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdu\ufffd\u001a>3\u001bz\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\u0011\ufffd\u05094\ufffd\ufffd\u001f\u0005\u0010 \u000f\ufffd\ufffda\/\ufffd\u001f\ufffdC\u0005\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\n\ufffd\ufffd\ufffdJAR!\ufffd\u0005\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001e\u0004Pir\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd%|\u000b\ufffdO^$\u0002\ufffdN\ufffd\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdu\ufffd\u001a>3\u001bz\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\u0011\ufffd\u05094\ufffd\ufffd\u001f\u0005\u0010 \u000f\ufffd\ufffda\/\ufffd\u001f\ufffdC\u0005\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\n\ufffd\ufffd\ufffdJAR!\ufffd\u0005\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "aed78668124dd392b85ab7b1cdcc577dcd520d64",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdu\ufffd\u001a>3\u001bz\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\u0011\ufffd\u05094\ufffd\ufffd\u001f\u0005\u0010 \u000f\ufffd\ufffda\/\ufffd\u001f\ufffdC\u0005\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\n\ufffd\ufffd\ufffdJAR!\ufffd\u0005\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 2083,
"service": "cpanel-ssl",
"service_label_fr": "CPANEL SSL"
},
"evidence_snippet": "\ufffd\ufffdu\ufffd>3z\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\ufffd\u05094\ufffd\ufffd \ufffd\ufffda\/\ufffd\ufffdC\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\n\ufffd\ufffd\ufffdJAR!\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "port scan syn \u00b7 via CPANEL SSL:2083 \u00b7 (reconnaissance)",
"target_port_label": "2083 \u00b7 CPANEL SSL",
"emulator_service": "cpanel-ssl",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CPANEL SSL \u2014 multi-protocole (8 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "cpanel-ssl",
"service_label_fr": "CPANEL SSL",
"dst_port": 2083,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel-ssl",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdu\ufffd\u001a>3\u001bz\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\u0011\ufffd\u05094\ufffd\ufffd\u001f\u0005\u0010 \u000f\ufffd\ufffda\/\ufffd\u001f\ufffdC\u0005\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\n\ufffd\ufffd\ufffdJAR!\ufffd\u0005\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 2083,
"service": "cpanel-ssl",
"service_label_fr": "CPANEL SSL"
},
"attack_vector": "port scan syn \u00b7 via CPANEL SSL:2083 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdu\ufffd>3z\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\ufffd\u05094\ufffd\ufffd \ufffd\ufffda\/\ufffd\ufffdC\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\n\ufffd\ufffd\ufffdJAR!\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "2083 \u00b7 CPANEL SSL",
"emulator_service": "cpanel-ssl",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel_ssl",
"service_banner": "honeypot-cpanel-ssl",
"service_os": "linux",
"dst_port": "2083"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 4,
"port_scan_ports_sample": [
2083,
4433,
8080,
9443
],
"multi_protocol_correlation": true,
"multi_protocol_count": 8,
"multi_protocol_sample": [
"aws-ecs-agent",
"cloudflare-tunnel",
"cpanel-ssl",
"http",
"https",
"kdm",
"quic-http3-stub",
"upnp-tcp"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_ssl_emulated",
"net_cpanel_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8080 · HTTP
|
http
|
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → kҐ[<OE|
|
Élevée
|
Moyen · 44
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
Protocole
���������� kҐ[<OE|
Émulateur
HTTP
WAF
7
Recommandation
Surveiller
Tags
950324:rce-0
http_no_ua
net_web_probe
Cible HTTP
����������
kҐ[<OE|
TLS SNI
—
Capteur
paris-1
|
Méthode
����������
Port
8080
Chemin / cible
kҐ[<OE|
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 44
Confiance : Confiance 100 % — 1 tag(s) WAF
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
Ligne de requête
���������� kҐ[<OE| HTTP/1.1
User-Agent
—
Règles WAF
rce-0
Payload (extrait)
����������� k����Ґ[<��O�E|���L7V�HP��v���{ �*-�X�������ԒX�� �e>��Fw�3�g�[2�&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
����������� k����Ґ[<��O�E|� �L7V�HP��v���{ �*-�X�������ԒX�� �e>��Fw�3�g�[2�&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� r����9$V���������5��J��� �
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "680da6bbe992cf3eaa4ab1e1e90c2898686a6bd1",
"http_referer_hash": null,
"http_method": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\u0003\u0003",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 261,
"payload_entropy": 5.914314436205332,
"port_category": "registered",
"org": "OVH SAS",
"service": "http",
"app_proto": "http",
"asn": 16276,
"country": "RU",
"dst_port": 8080,
"risk_waf": 36,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 36,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 44,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "f074606b922ffbc0a44e87add047c495b93d5345",
"event_fingerprint": "5002f86640b9f6ff5703b8dbef54100928abb241",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 36,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1aa4ca315416e4fef96b91b4ce8f8772",
"path_pattern_hash": "72708bc98a2574405e31ac171b5dcddb"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 44
},
"method": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\u0003\u0003",
"path": "k\u0490[<OE|",
"waf_tags": [
"950324:rce-0"
],
"waf_rule_names": [
"rce-0"
],
"request_line": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\u0003\u0003 k\u0490[<OE| HTTP\/1.1",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003 k\ufffd\ufffd\ufffd\ufffd\u0490[<\ufffd\ufffdO\ufffdE|\ufffd\u000b\ufffdL7V\ufffdHP\ufffd\u0002v\ufffd\ufffd\ufffd{ \ufffd*-\ufffdX\ufffd\ufffd\ufffd\ufffd\u0019\ufffd\u001a\u0512X\u0017\ufffd \ufffde>\ufffd\u0007Fw\u001a3\ufffdg\ufffd[2\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"method": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\u0003\u0003",
"path": "k\u0490[<OE|",
"waf_tags": [
"950324:rce-0"
],
"waf_rule_names": [
"rce-0"
],
"request_line": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\u0003\u0003 k\u0490[<OE| HTTP\/1.1",
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003 k\ufffd\ufffd\ufffd\ufffd\u0490[<\ufffd\ufffdO\ufffdE|\ufffd\u000b\ufffdL7V\ufffdHP\ufffd\u0002v\ufffd\ufffd\ufffd{ \ufffd*-\ufffdX\ufffd\ufffd\ufffd\ufffd\u0019\ufffd\u001a\u0512X\u0017\ufffd \ufffde>\ufffd\u0007Fw\u001a3\ufffdg\ufffd[2\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \u000br\ufffd\ufffd\ufffd\ufffd9$V\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffdJ\ufffd\u0011\u0016\n\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003 k\ufffd\ufffd\ufffd\ufffd\u0490[<\ufffd\ufffdO\ufffdE|\ufffd\u000b\ufffdL7V\ufffdHP\ufffd\u0002v\ufffd\ufffd\ufffd{ \ufffd*-\ufffdX\ufffd\ufffd\ufffd\ufffd\u0019\ufffd\u001a\u0512X\u0017\ufffd \ufffde>\ufffd\u0007Fw\u001a3\ufffdg\ufffd[2\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "116e44956ecadb251af94d73b6951190dd7b0aee",
"protocol_details": {
"http_method": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\u0003\u0003",
"http_path": "k\u0490[<OE|",
"request_line": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\u0003\u0003 k\u0490[<OE| HTTP\/1.1",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "\ufffd k\ufffd\ufffd\ufffd\ufffd\u0490[<\ufffd\ufffdO\ufffdE|\ufffd\ufffdL7V\ufffdHP\ufffdv\ufffd\ufffd\ufffd{ \ufffd*-\ufffdX\ufffd\ufffd\ufffd\ufffd\ufffd\u0512X\ufffd \ufffde>\ufffdFw3\ufffdg\ufffd[2&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 k\u0490[<OE|",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (7 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 36,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 8
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\u0003\u0003",
"http_path": "k\u0490[<OE|",
"request_line": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\u0003\u0003 k\u0490[<OE| HTTP\/1.1",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 k\u0490[<OE|",
"evidence_snippet": "\ufffd k\ufffd\ufffd\ufffd\ufffd\u0490[<\ufffd\ufffdO\ufffdE|\ufffd\ufffdL7V\ufffdHP\ufffdv\ufffd\ufffd\ufffd{ \ufffd*-\ufffdX\ufffd\ufffd\ufffd\ufffd\ufffd\u0512X\ufffd \ufffde>\ufffdFw3\ufffdg\ufffd[2&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 36 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 7,
"multi_protocol_sample": [
"aws-ecs-agent",
"cloudflare-tunnel",
"http",
"https",
"kdm",
"quic-http3-stub",
"upnp-tcp"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"950324:rce-0",
"http_no_ua",
"net_web_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9443 · HTTPS
|
https
|
Scan de ports
port scan syn · via HTTPS:9443 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
HTTPS
WAF
—
Recommandation
Surveiller
Tags
http_alt_port
net_web_probe
tls_clienthello
websphere_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9443
Chemin / cible
—
Service
HTTPS
Payload
������������v�B�z Og�;V0�P'�+��#k]��7�ת�4 �����.�~8�c���5t��PY ��n��R���&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
HTTPS alt 9443 probe
User-Agent
—
Règles WAF
—
Payload (extrait)
������������v�B�z�Og�;V0�P'�+��#k]��7�ת�4 �����.�~8�c���5t��PY
��n��R���&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
������������v�B�z Og�;V0�P'�+��#k]��7�ת�4 �����.�~8�c���5t��PY ��n��R���&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� �g��� � ^X6t�� �T���Hݨ���P
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 261,
"payload_entropy": 5.834581559131824,
"port_category": "registered",
"org": "OVH SAS",
"service": "https",
"app_proto": "https",
"asn": 16276,
"country": "RU",
"dst_port": 9443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2",
"event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536",
"pat-0600"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ",
"HTTPS alt 9443 probe"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536",
"pat-0600"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "https",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "db547feb1359077cabca99346e0dee31",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 9443,
"service": "https",
"service_name": "https",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdv\ufffdB\ufffdz\u000bOg\ufffd;V0\ufffdP'\ufffd+\ufffd\ufffd#k]\ufffd\u00057\ufffd\u05ea\ufffd4 \ufffd\u001e\ufffd\u0011\ufffd.\u000f~8\ufffdc\ufffd\b\u00145t\u0005\ufffdPY\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdv\ufffdB\ufffdz\u000bOg\ufffd;V0\ufffdP'\ufffd+\ufffd\ufffd#k]\ufffd\u00057\ufffd\u05ea\ufffd4 \ufffd\u001e\ufffd\u0011\ufffd.\u000f~8\ufffdc\ufffd\b\u00145t\u0005\ufffdPY\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdg\ufffd\ufffd\ufffd\t\u0016\r^X6t\ufffd\ufffd\f\ufffdT\ufffd\ufffd\ufffdH\u0768\ufffd\ufffd\ufffdP",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdv\ufffdB\ufffdz\u000bOg\ufffd;V0\ufffdP'\ufffd+\ufffd\ufffd#k]\ufffd\u00057\ufffd\u05ea\ufffd4 \ufffd\u001e\ufffd\u0011\ufffd.\u000f~8\ufffdc\ufffd\b\u00145t\u0005\ufffdPY\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "81bc211f0d48214fac77c22561b8972f55745e07",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdv\ufffdB\ufffdz\u000bOg\ufffd;V0\ufffdP'\ufffd+\ufffd\ufffd#k]\ufffd\u00057\ufffd\u05ea\ufffd4 \ufffd\u001e\ufffd\u0011\ufffd.\u000f~8\ufffdc\ufffd\b\u00145t\u0005\ufffdPY\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 9443,
"service": "https",
"service_label_fr": "HTTPS"
},
"evidence_snippet": "\ufffd\ufffdv\ufffdB\ufffdzOg\ufffd;V0\ufffdP'\ufffd+\ufffd\ufffd#k]\ufffd7\ufffd\u05ea\ufffd4 \ufffd\ufffd\ufffd.~8\ufffdc\ufffd5t\ufffdPY\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)",
"target_port_label": "9443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (7 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "https",
"service_label_fr": "HTTPS",
"dst_port": 9443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-https",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdv\ufffdB\ufffdz\u000bOg\ufffd;V0\ufffdP'\ufffd+\ufffd\ufffd#k]\ufffd\u00057\ufffd\u05ea\ufffd4 \ufffd\u001e\ufffd\u0011\ufffd.\u000f~8\ufffdc\ufffd\b\u00145t\u0005\ufffdPY\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 9443,
"service": "https",
"service_label_fr": "HTTPS"
},
"attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdv\ufffdB\ufffdzOg\ufffd;V0\ufffdP'\ufffd+\ufffd\ufffd#k]\ufffd7\ufffd\u05ea\ufffd4 \ufffd\ufffd\ufffd.~8\ufffdc\ufffd5t\ufffdPY\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "9443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "https",
"service_banner": "honeypot-https",
"service_os": "linux",
"dst_port": "9443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 4,
"port_scan_ports_sample": [
4433,
5001,
8443,
9443
],
"multi_protocol_correlation": true,
"multi_protocol_count": 7,
"multi_protocol_sample": [
"aws-ecs-agent",
"cloudflare-tunnel",
"http",
"https",
"kdm",
"quic-http3-stub",
"upnp-tcp"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_alt_port",
"net_web_probe",
"tls_clienthello",
"websphere_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
4433 · QUIC HTTP3 STUB
|
quic-http3-stub
|
Scan de ports
port scan syn · via QUIC HTTP3 STUB:4433 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
Protocole
Émulateur
QUIC-HTTP3-STUB
WAF
—
Recommandation
Surveiller
Tags
net_quic_probe
quic_http3_stub_emulated
quic_http3_stub_payload
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
4433
Chemin / cible
—
Service
QUIC HTTP3 STUB
Payload
������������L���T���>�e���ty���秀I�c�imǸ� x �S �� �[~��}��$���P�|� �����i�&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������L���T���>�e���ty���秀I�c�imǸ� x �S ��
�[~��}��$���P�|� �����i�&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
������������L���T���>�e���ty���秀I�c�imǸ� x �S �� �[~��}��$���P�|� �����i�&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� �IR����W�b��$ ���H�1§
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "0c00000000485454502f3320686f6e6579706f7420737475620d0a",
"emulator_response_len": 27,
"bytes_in": 261,
"payload_entropy": 5.848307843303124,
"port_category": "registered",
"org": "OVH SAS",
"service": "quic-http3-stub",
"app_proto": "quic-http3-stub",
"asn": 16276,
"country": "RU",
"dst_port": 4433,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "a8bd063f644b84e1de1a05db0b9f17e832ed6e2d",
"event_fingerprint": "69ec763c111675fc5207ef508e4abdef0f3279d4",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "quic-http3-stub",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "389f0c8cc7142c2f480e0eb5c6967b8b",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 4433,
"service": "quic-http3-stub",
"service_name": "quic-http3-stub",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdL\ufffd\ufffd\u0004T\u0013\u0005\ufffd>\ufffde\ufffd\ufffd\ufffdty\u001d\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8\u0014 x \ufffdS\t\ufffd\u0014\n\ufffd[~\ufffd\ufffd}\u0006\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdL\ufffd\ufffd\u0004T\u0013\u0005\ufffd>\ufffde\ufffd\ufffd\ufffdty\u001d\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8\u0014 x \ufffdS\t\ufffd\u0014\n\ufffd[~\ufffd\ufffd}\u0006\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdIR\ufffd\u001d\ufffd\ufffdW\ufffdb\u000f\ufffd$\f\u0010\uf7be\ufffd\ufffdH\ufffd1\u00a7",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdL\ufffd\ufffd\u0004T\u0013\u0005\ufffd>\ufffde\ufffd\ufffd\ufffdty\u001d\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8\u0014 x \ufffdS\t\ufffd\u0014\n\ufffd[~\ufffd\ufffd}\u0006\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5bb14209c145ee2f117b1c098f6a1d8c308741b8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdL\ufffd\ufffd\u0004T\u0013\u0005\ufffd>\ufffde\ufffd\ufffd\ufffdty\u001d\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8\u0014 x \ufffdS\t\ufffd\u0014\n\ufffd[~\ufffd\ufffd}\u0006\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 4433,
"service": "quic-http3-stub",
"service_label_fr": "QUIC HTTP3 STUB"
},
"evidence_snippet": "\ufffd\ufffdL\ufffd\ufffdT\ufffd>\ufffde\ufffd\ufffd\ufffdty\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8 x \ufffdS\t\ufffd\n\ufffd[~\ufffd\ufffd}\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "port scan syn \u00b7 via QUIC HTTP3 STUB:4433 \u00b7 (reconnaissance)",
"target_port_label": "4433 \u00b7 QUIC HTTP3 STUB",
"emulator_service": "quic-http3-stub",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via QUIC HTTP3 STUB \u2014 multi-protocole (7 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "quic-http3-stub",
"service_label_fr": "QUIC HTTP3 STUB",
"dst_port": 4433,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-quic-http3-stub",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdL\ufffd\ufffd\u0004T\u0013\u0005\ufffd>\ufffde\ufffd\ufffd\ufffdty\u001d\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8\u0014 x \ufffdS\t\ufffd\u0014\n\ufffd[~\ufffd\ufffd}\u0006\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 4433,
"service": "quic-http3-stub",
"service_label_fr": "QUIC HTTP3 STUB"
},
"attack_vector": "port scan syn \u00b7 via QUIC HTTP3 STUB:4433 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdL\ufffd\ufffdT\ufffd>\ufffde\ufffd\ufffd\ufffdty\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8 x \ufffdS\t\ufffd\n\ufffd[~\ufffd\ufffd}\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "4433 \u00b7 QUIC HTTP3 STUB",
"emulator_service": "quic-http3-stub",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "quic_http3_stub",
"service_banner": "honeypot-quic-http3-stub",
"service_os": "linux",
"dst_port": "4433"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 7,
"multi_protocol_sample": [
"aws-ecs-agent",
"cloudflare-tunnel",
"http",
"https",
"kdm",
"quic-http3-stub",
"upnp-tcp"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_quic_probe",
"quic_http3_stub_emulated",
"quic_http3_stub_payload",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5001 · UPNP TCP
|
upnp-tcp
|
Scan de ports
port scan syn · via UPNP TCP:5001 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
UPNP-TCP
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5001
Chemin / cible
—
Service
UPNP TCP
Payload
�����������*�ڑ�<(���H��@�����d�����$G��],L �N�8�S �k{,��I�ބ�:���:�g���ؽ2�&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 1 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������*�ڑ�<(���H��@�����d�����$G��],L �N�8�S
��k{,��I�ބ�:���:�g���ؽ2�&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
�����������*�ڑ�<(���H��@�����d�����$G��],L �N�8�S �k{,��I�ބ�:���:�g���ؽ2�&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� �J�=��_�������➐~H��i��9�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742075706e705f74637020726561647920706f72743d353030310d0a",
"emulator_response_len": 39,
"bytes_in": 261,
"payload_entropy": 5.919736970967773,
"port_category": "registered",
"org": "OVH SAS",
"service": "upnp-tcp",
"app_proto": "upnp-tcp",
"asn": 16276,
"country": "RU",
"dst_port": 5001,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "436278379f11f507398419d513ec805702ed650d",
"event_fingerprint": "a80d71c7dcef6b8541bd0810036e78213dbbe720",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "upnp-tcp",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "cd4d0020841a54ac8a9b159f993bd5cf",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 5001,
"service": "upnp-tcp",
"service_name": "upnp-tcp",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003*\ufffd\u0691\u0001<(\ufffd\u0016\ufffdH\ufffd\ufffd@\u001b\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd\u001a],L \ufffdN\u00158\u0000S\n\f\ufffdk{,\ufffd\ufffdI\ufffd\u0784\u0019:\ufffd\ufffd\u0017:\ufffdg\ufffd\u0007\ufffd\u063d2\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003*\ufffd\u0691\u0001<(\ufffd\u0016\ufffdH\ufffd\ufffd@\u001b\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd\u001a],L \ufffdN\u00158\u0000S\n\f\ufffdk{,\ufffd\ufffdI\ufffd\u0784\u0019:\ufffd\ufffd\u0017:\ufffdg\ufffd\u0007\ufffd\u063d2\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdJ\ufffd=\ufffd\u0010_\ufffd\u0019\ufffd\ufffd\ufffd\ufffd\ufffd\u2790~H\ufffd\ufffdi\ufffd\ufffd9\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003*\ufffd\u0691\u0001<(\ufffd\u0016\ufffdH\ufffd\ufffd@\u001b\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd\u001a],L \ufffdN\u00158\u0000S\n\f\ufffdk{,\ufffd\ufffdI\ufffd\u0784\u0019:\ufffd\ufffd\u0017:\ufffdg\ufffd\u0007\ufffd\u063d2\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6c69a59b710b7436bd4b84470dea017a2ad50670",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003*\ufffd\u0691\u0001<(\ufffd\u0016\ufffdH\ufffd\ufffd@\u001b\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd\u001a],L \ufffdN\u00158\u0000S\n\f\ufffdk{,\ufffd\ufffdI\ufffd\u0784\u0019:\ufffd\ufffd\u0017:\ufffdg\ufffd\u0007\ufffd\u063d2\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 5001,
"service": "upnp-tcp",
"service_label_fr": "UPNP TCP"
},
"evidence_snippet": "\ufffd*\ufffd\u0691<(\ufffd\ufffdH\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd],L \ufffdN8S\n\ufffdk{,\ufffd\ufffdI\ufffd\u0784:\ufffd\ufffd:\ufffdg\ufffd\ufffd\u063d2&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "port scan syn \u00b7 via UPNP TCP:5001 \u00b7 (reconnaissance)",
"target_port_label": "5001 \u00b7 UPNP TCP",
"emulator_service": "upnp-tcp",
"confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via UPNP TCP \u2014 multi-protocole (6 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "upnp-tcp",
"service_label_fr": "UPNP TCP",
"dst_port": 5001,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-upnp-tcp",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003*\ufffd\u0691\u0001<(\ufffd\u0016\ufffdH\ufffd\ufffd@\u001b\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd\u001a],L \ufffdN\u00158\u0000S\n\f\ufffdk{,\ufffd\ufffdI\ufffd\u0784\u0019:\ufffd\ufffd\u0017:\ufffdg\ufffd\u0007\ufffd\u063d2\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 5001,
"service": "upnp-tcp",
"service_label_fr": "UPNP TCP"
},
"attack_vector": "port scan syn \u00b7 via UPNP TCP:5001 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd*\ufffd\u0691<(\ufffd\ufffdH\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd],L \ufffdN8S\n\ufffdk{,\ufffd\ufffdI\ufffd\u0784:\ufffd\ufffd:\ufffdg\ufffd\ufffd\u063d2&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "5001 \u00b7 UPNP TCP",
"emulator_service": "upnp-tcp",
"confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "upnp_tcp",
"service_banner": "honeypot-upnp-tcp",
"service_os": "linux",
"dst_port": "5001"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 5,
"port_scan_ports_sample": [
2053,
5001,
8081,
8443,
8888
],
"multi_protocol_correlation": true,
"multi_protocol_count": 6,
"multi_protocol_sample": [
"aws-ecs-agent",
"cloudflare-tunnel",
"http",
"https",
"kdm",
"upnp-tcp"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
8443 · HTTPS
|
https
|
Scan de ports
port scan syn · via HTTPS:8443 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
HTTPS
WAF
—
Recommandation
Surveiller
Tags
http_alt_port
net_web_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8443
Chemin / cible
—
Service
HTTPS
Payload
������������'�T/�7��휬abx��V�Í�n�4]�3NJ1S �<�g�����`%�����>�nF�5�{�]ܫ�����&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������'�T/�7��휬abx��V�Í�n�4]�3NJ1S �<�g�����`%�����>�nF�5�{�]ܫ�����&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
������������'�T/�7��휬abx��V�Í�n�4]�3NJ1S �<�g�����`%�����>�nF�5�{�]ܫ�����&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� ���L���n�ڻ�#���6>�~�f%��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 261,
"payload_entropy": 5.908657843013905,
"port_category": "registered",
"org": "OVH SAS",
"service": "https",
"app_proto": "https",
"asn": 16276,
"country": "RU",
"dst_port": 8443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "841a7de3c3cbd932ffe2df923d0bb6a948309046",
"event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "https",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2d8d51593491dc3f1507e6c092583635",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 8443,
"service": "https",
"service_name": "https",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\b\u00cd\u0010n\ufffd4]\u000e3\u01ca1S \ufffd<\ufffdg\ufffd\ufffd\ufffd\u001e\u0012`%\ufffd\ufffd\ufffd\u0013\u0004>\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\b\u00cd\u0010n\ufffd4]\u000e3\u01ca1S \ufffd<\ufffdg\ufffd\ufffd\ufffd\u001e\u0012`%\ufffd\ufffd\ufffd\u0013\u0004>\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\b\ufffdL\ufffd\ufffd\ufffdn\ufffd\u06bb\ufffd#\ufffd\ufffd\u00166>\ufffd~\u001df%\u0005\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\b\u00cd\u0010n\ufffd4]\u000e3\u01ca1S \ufffd<\ufffdg\ufffd\ufffd\ufffd\u001e\u0012`%\ufffd\ufffd\ufffd\u0013\u0004>\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "06c3b7e3c527731f762d64ee2118fc02416ef24c",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\b\u00cd\u0010n\ufffd4]\u000e3\u01ca1S \ufffd<\ufffdg\ufffd\ufffd\ufffd\u001e\u0012`%\ufffd\ufffd\ufffd\u0013\u0004>\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 8443,
"service": "https",
"service_label_fr": "HTTPS"
},
"evidence_snippet": "\ufffd\ufffd'\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\u00cdn\ufffd4]3\u01ca1S \ufffd<\ufffdg\ufffd\ufffd\ufffd`%\ufffd\ufffd\ufffd>\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)",
"target_port_label": "8443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (5 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "https",
"service_label_fr": "HTTPS",
"dst_port": 8443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-https",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\b\u00cd\u0010n\ufffd4]\u000e3\u01ca1S \ufffd<\ufffdg\ufffd\ufffd\ufffd\u001e\u0012`%\ufffd\ufffd\ufffd\u0013\u0004>\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"port": 8443,
"service": "https",
"service_label_fr": "HTTPS"
},
"attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd'\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\u00cdn\ufffd4]3\u01ca1S \ufffd<\ufffdg\ufffd\ufffd\ufffd`%\ufffd\ufffd\ufffd>\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "8443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "https",
"service_banner": "honeypot-https",
"service_os": "linux",
"dst_port": "8443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 5,
"port_scan_ports_sample": [
1024,
2053,
8081,
8443,
8888
],
"multi_protocol_correlation": true,
"multi_protocol_count": 5,
"multi_protocol_sample": [
"aws-ecs-agent",
"cloudflare-tunnel",
"http",
"https",
"kdm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_alt_port",
"net_web_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8888 · HTTP
|
http
|
Scan de ports
port scan syn · via HTTP:8888 · (reconnaissance)
|
Élevée
|
Moyen · 46
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 zgrab/0.x
Émulateur
HTTP
WAF
9
Recommandation
Surveiller
Tags
950470:nosqli-3
950734:sap-sapcontrol-path
net_web_probe
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8888
Chemin / cible
/
Pourquoi cette classification : Tags WAF: nosqli-3, sap-sapcontrol-path · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 46
Confiance : Confiance 100 % — 2 tag(s) WAF
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
ET zgrab fingerprint
UA zgrab
HTTP alt 8888 probe
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 zgrab/0.x
Règles WAF
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8888
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "7b4be00556d7e6bfe311880770d4e1c76ac6f59e",
"http_host_hash": "25a58e7d7f0ed40aadf0d51b038172ea9ccc8435",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 112,
"payload_entropy": 5.059107436252552,
"port_category": "registered",
"org": "OVH SAS",
"service": "http",
"app_proto": "http",
"asn": 16276,
"country": "RU",
"dst_port": 8888,
"risk_waf": 44,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "21bf389d850abae9d7161b95ebaf244f6a5f045a",
"event_fingerprint": "49f507c2cf48f6931b95b26ad1848f202640d676",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0594",
"pat-0458",
"pat-0599"
],
"matched_pattern_names": [
"ET zgrab fingerprint",
"UA zgrab",
"HTTP alt 8888 probe"
],
"pattern_ids": [
"pat-0594",
"pat-0458",
"pat-0599"
],
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ef60d663d36db05cc1e68077f8a0f3fa",
"payload_hash": "4b45d64589c6857948a7f7d7fb4bc275",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8888,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "825028b32ffb9289a20016aa6cd43bcb73d512d2",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 8888,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"attack_vector": "port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)",
"target_port_label": "8888 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"classification_reason_label_fr": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (5 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8888,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 8888,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"target_port_label": "8888 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8888"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 6,
"port_scan_ports_sample": [
1024,
2053,
5000,
8081,
8443,
8888
],
"multi_protocol_correlation": true,
"multi_protocol_count": 5,
"multi_protocol_sample": [
"aws-ecs-agent",
"cloudflare-tunnel",
"http",
"https",
"kdm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
2053 · CLOUDFLARE TUNNEL
|
cloudflare-tunnel
|
Scan de ports
port scan syn · via CLOUDFLARE TUNNEL:2053 · (reconnaissance)
|
Élevée
|
Moyen · 53
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
CLOUDFLARE-TUNNEL
WAF
—
Recommandation
Investiguer
Tags
cloudflare_tunnel_emulated
cloudflare_tunnel_payload
http_get_probe
mozi_pattern
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2053
Chemin / cible
—
Service
CLOUDFLARE TUNNEL
Payload
GET / HTTP/1.1 Host: 62.3.50.33:2053 User-Agent: Mozilla/5.0 zgrab/0.x Accept: */* Accept-Encoding: gzip
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 53
Confiance : Confiance 100 % — 5 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
ET zgrab fingerprint
UA zgrab
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2053
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a5365727665723a20636c6f7564666c6172650d0a436f6e74656e742d4c656e6774683a20300d0a0d0a",
"emulator_response_len": 65,
"bytes_in": 112,
"payload_entropy": 5.030133217521869,
"port_category": "registered",
"org": "OVH SAS",
"service": "cloudflare-tunnel",
"app_proto": "cloudflare-tunnel",
"asn": 16276,
"country": "RU",
"dst_port": 2053,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25
},
"risk_score": 53,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "5004ba207ce4d8d47204e0994c4d5fbe107e9847",
"event_fingerprint": "ecf61e9accc2dacac55d45c01f6f6a64e26c6ab4",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0594",
"pat-0458"
],
"matched_pattern_names": [
"ET zgrab fingerprint",
"UA zgrab"
],
"pattern_ids": [
"pat-0594",
"pat-0458"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 53,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "cloudflare-tunnel",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7561080f1b8266bfa2f094a55bfa2bc1",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 2053,
"service": "cloudflare-tunnel",
"service_name": "cloudflare-tunnel",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e3c0cc33dcf6800365deadc475e56d59186a3dc8",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"port": 2053,
"service": "cloudflare-tunnel",
"service_label_fr": "CLOUDFLARE TUNNEL"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"attack_vector": "port scan syn \u00b7 via CLOUDFLARE TUNNEL:2053 \u00b7 (reconnaissance)",
"target_port_label": "2053 \u00b7 CLOUDFLARE TUNNEL",
"emulator_service": "cloudflare-tunnel",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CLOUDFLARE TUNNEL \u2014 multi-protocole (5 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 53,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "cloudflare-tunnel",
"service_label_fr": "CLOUDFLARE TUNNEL",
"dst_port": 2053,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cloudflare-tunnel",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"port": 2053,
"service": "cloudflare-tunnel",
"service_label_fr": "CLOUDFLARE TUNNEL"
},
"attack_vector": "port scan syn \u00b7 via CLOUDFLARE TUNNEL:2053 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"target_port_label": "2053 \u00b7 CLOUDFLARE TUNNEL",
"emulator_service": "cloudflare-tunnel",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cloudflare_tunnel",
"service_banner": "honeypot-cloudflare-tunnel",
"service_os": "linux",
"dst_port": "2053"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 6,
"port_scan_ports_sample": [
1024,
2053,
5000,
8081,
8443,
30005
],
"multi_protocol_correlation": true,
"multi_protocol_count": 5,
"multi_protocol_sample": [
"aws-ecs-agent",
"cloudflare-tunnel",
"http",
"https",
"kdm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"cloudflare_tunnel_emulated",
"cloudflare_tunnel_payload",
"http_get_probe",
"mozi_pattern",
"net_web_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8081 · HTTP
|
http
|
Scan de ports
port scan syn · via HTTP:8081 · (reconnaissance)
|
Élevée
|
Moyen · 46
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 zgrab/0.x
Émulateur
HTTP
WAF
9
Recommandation
Surveiller
Tags
950470:nosqli-3
950734:sap-sapcontrol-path
net_web_probe
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8081
Chemin / cible
/
Pourquoi cette classification : Tags WAF: nosqli-3, sap-sapcontrol-path · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 46
Confiance : Confiance 100 % — 2 tag(s) WAF
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
ET zgrab fingerprint
UA zgrab
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 zgrab/0.x
Règles WAF
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8081
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "7b4be00556d7e6bfe311880770d4e1c76ac6f59e",
"http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 112,
"payload_entropy": 5.059107436252552,
"port_category": "registered",
"org": "OVH SAS",
"service": "http",
"app_proto": "http",
"asn": 16276,
"country": "RU",
"dst_port": 8081,
"risk_waf": 44,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "3c5b0d89e6b0f305d9e07fe5cbb06c60582917dc",
"event_fingerprint": "6200042a8eedd96c47b109adc0963a36d177f604",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0594",
"pat-0458"
],
"matched_pattern_names": [
"ET zgrab fingerprint",
"UA zgrab"
],
"pattern_ids": [
"pat-0594",
"pat-0458"
],
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ef60d663d36db05cc1e68077f8a0f3fa",
"payload_hash": "0907dd8a11e812f73678094cd91a73a1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8081,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "408ee1b1443139e694d4a33d86cd53a1d2eb8491",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 8081,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"attack_vector": "port scan syn \u00b7 via HTTP:8081 \u00b7 (reconnaissance)",
"target_port_label": "8081 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"classification_reason_label_fr": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (4 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8081,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 8081,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8081 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"target_port_label": "8081 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8081"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 5,
"port_scan_ports_sample": [
1024,
5000,
8081,
8443,
30005
],
"multi_protocol_correlation": true,
"multi_protocol_count": 4,
"multi_protocol_sample": [
"aws-ecs-agent",
"http",
"https",
"kdm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
1024 · KDM
|
kdm
|
Scan de ports
port scan syn · via KDM:1024 · (reconnaissance)
|
Élevée
|
Moyen · 51
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
KDM
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
mozi_pattern
net_mozi_pattern
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1024
Chemin / cible
—
Service
KDM
Payload
GET / HTTP/1.1 Host: 62.3.50.33:1024 User-Agent: Mozilla/5.0 zgrab/0.x Accept: */* Accept-Encoding: gzip
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
ET zgrab fingerprint
UA zgrab
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:1024
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206b646d20726561647920706f72743d313032340d0a",
"emulator_response_len": 34,
"bytes_in": 112,
"payload_entropy": 5.059107436252552,
"port_category": "registered",
"org": "OVH SAS",
"service": "kdm",
"app_proto": "kdm",
"asn": 16276,
"country": "RU",
"dst_port": 1024,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 1.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15
},
"risk_score": 51,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b9ed8eedb2d7cacf7f6c17864d36d17850957319",
"event_fingerprint": "43a391efbc4b959775b89d3fc895feaf23a04a6b",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0594",
"pat-0458"
],
"matched_pattern_names": [
"ET zgrab fingerprint",
"UA zgrab"
],
"pattern_ids": [
"pat-0594",
"pat-0458"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 51,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "kdm",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6dee61d45f8169c1d825ad21fa7b14b0",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 1024,
"service": "kdm",
"service_name": "kdm",
"risk_score": 51
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1024\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1024\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1024\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1024\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1024\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "91d54467330cf1a6ad2d4feb9a420f9c6b060a7a",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1024\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"port": 1024,
"service": "kdm",
"service_label_fr": "KDM"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1024\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"attack_vector": "port scan syn \u00b7 via KDM:1024 \u00b7 (reconnaissance)",
"target_port_label": "1024 \u00b7 KDM",
"emulator_service": "kdm",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via KDM \u2014 multi-protocole (4 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 51,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "kdm",
"service_label_fr": "KDM",
"dst_port": 1024,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-kdm",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1024\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"port": 1024,
"service": "kdm",
"service_label_fr": "KDM"
},
"attack_vector": "port scan syn \u00b7 via KDM:1024 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1024\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"target_port_label": "1024 \u00b7 KDM",
"emulator_service": "kdm",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "kdm",
"service_banner": "honeypot-kdm",
"service_os": "linux",
"dst_port": "1024"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 5,
"port_scan_ports_sample": [
1024,
5000,
8089,
8443,
30005
],
"multi_protocol_correlation": true,
"multi_protocol_count": 4,
"multi_protocol_sample": [
"aws-ecs-agent",
"http",
"https",
"kdm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"net_mozi_pattern"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8443 · HTTPS
|
https
|
Scan de ports
port scan syn · via HTTPS:8443 · (reconnaissance)
|
Élevée
|
Moyen · 53
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
HTTPS
WAF
—
Recommandation
Investiguer
Tags
http_alt_port
http_get_probe
mozi_pattern
net_web_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8443
Chemin / cible
—
Service
HTTPS
Payload
GET / HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 zgrab/0.x Accept: */* Accept-Encoding: gzip
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 53
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
ET zgrab fingerprint
UA zgrab
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8443
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 112,
"payload_entropy": 5.083704646093297,
"port_category": "registered",
"org": "OVH SAS",
"service": "https",
"app_proto": "https",
"asn": 16276,
"country": "RU",
"dst_port": 8443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 3.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 53,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "2aa17a6b515596b20eaea8d57184d62da9f48dfc",
"event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0594",
"pat-0458"
],
"matched_pattern_names": [
"ET zgrab fingerprint",
"UA zgrab"
],
"pattern_ids": [
"pat-0594",
"pat-0458"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "https",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1fa84916b207202da032b73901af3ba3",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 8443,
"service": "https",
"service_name": "https",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3c99aacb5faf9c458f6db3db5aa5b4daecca3865",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"port": 8443,
"service": "https",
"service_label_fr": "HTTPS"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)",
"target_port_label": "8443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (3 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "https",
"service_label_fr": "HTTPS",
"dst_port": 8443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-https",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"port": 8443,
"service": "https",
"service_label_fr": "HTTPS"
},
"attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"target_port_label": "8443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "https",
"service_banner": "honeypot-https",
"service_os": "linux",
"dst_port": "8443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 5,
"port_scan_ports_sample": [
5000,
8085,
8089,
8443,
30005
],
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"aws-ecs-agent",
"http",
"https"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_alt_port",
"http_get_probe",
"mozi_pattern",
"net_web_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5000 · HTTP
|
http
|
Scan de ports
port scan syn · via HTTP:5000 · (reconnaissance)
|
Élevée
|
Moyen · 44
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 zgrab/0.x
Émulateur
HTTP
WAF
9
Recommandation
Surveiller
Tags
950470:nosqli-3
950734:sap-sapcontrol-path
net_web_probe
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5000
Chemin / cible
/
Pourquoi cette classification : Tags WAF: nosqli-3, sap-sapcontrol-path · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 44
Confiance : Confiance 100 % — 2 tag(s) WAF
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
ET zgrab fingerprint
UA zgrab
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 zgrab/0.x
Règles WAF
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5000
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c",
"emulator_response_len": 158,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "7b4be00556d7e6bfe311880770d4e1c76ac6f59e",
"http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 112,
"payload_entropy": 5.009913016571061,
"port_category": "registered",
"org": "OVH SAS",
"service": "http",
"app_proto": "http",
"asn": 16276,
"country": "RU",
"dst_port": 5000,
"risk_waf": 44,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 44,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "e727e1636ef6f6717e04d6bacfac19cbfb94845c",
"event_fingerprint": "75a3a9e560bcdbdbc1d9fd15750e1b81cebffe01",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0594",
"pat-0458"
],
"matched_pattern_names": [
"ET zgrab fingerprint",
"UA zgrab"
],
"pattern_ids": [
"pat-0594",
"pat-0458"
],
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ef60d663d36db05cc1e68077f8a0f3fa",
"payload_hash": "f2a79c89c01b43d675ffe5a87379ca62",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5000,
"service": "http",
"service_name": "http",
"risk_score": 44
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5000\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5000\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5000\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5000\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5000\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d07b78c14d1aaf4c381cffcdfd00651ae4fe9001",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 5000,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5000\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"attack_vector": "port scan syn \u00b7 via HTTP:5000 \u00b7 (reconnaissance)",
"target_port_label": "5000 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"classification_reason_label_fr": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 5000,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 5000,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:5000 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5000\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"target_port_label": "5000 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "5000"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 5,
"port_scan_ports_sample": [
5000,
8080,
8085,
8089,
30005
],
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"aws-ecs-agent",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
30005 · HTTP
|
http
|
Scan de ports
port scan syn · via HTTP:30005 · (reconnaissance)
|
Élevée
|
Moyen · 47
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 zgrab/0.x
Émulateur
HTTP
WAF
9
Recommandation
Surveiller
Tags
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
30005
Chemin / cible
/
Pourquoi cette classification : Tags WAF: nosqli-3, sap-sapcontrol-path · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 2 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
ET zgrab fingerprint
UA zgrab
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 zgrab/0.x
Règles WAF
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:30005
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "7b4be00556d7e6bfe311880770d4e1c76ac6f59e",
"http_host_hash": "35199aec1f494705c37d247e1616159f8ad2f9f2",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 113,
"payload_entropy": 5.009925812748559,
"port_category": "registered",
"org": "OVH SAS",
"service": "http",
"app_proto": "http",
"asn": 16276,
"country": "RU",
"dst_port": 30005,
"risk_waf": 44,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 47,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "16f2c69fbeec29d3107d62b26f28dc49c9e75251",
"event_fingerprint": "3016f3038977b9eb47c64c3c6038ddbf5d0479fe",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0594",
"pat-0458"
],
"matched_pattern_names": [
"ET zgrab fingerprint",
"UA zgrab"
],
"pattern_ids": [
"pat-0594",
"pat-0458"
],
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 47,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ef60d663d36db05cc1e68077f8a0f3fa",
"payload_hash": "03d1baaca5649d0cbd360145392e7ec4",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 30005,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30005\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30005\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30005\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30005\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30005\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8dba8c09d0b889957cfea8d9517fc6e2c7d1a501",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 30005,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30005\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"attack_vector": "port scan syn \u00b7 via HTTP:30005 \u00b7 (reconnaissance)",
"target_port_label": "30005 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"classification_reason_label_fr": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 47,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 30005,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 30005,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:30005 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30005\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"target_port_label": "30005 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "30005"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 5,
"port_scan_ports_sample": [
4567,
8080,
8085,
8089,
30005
],
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"aws-ecs-agent",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8089 · HTTP
|
http
|
Scan de ports
port scan syn · via HTTP:8089 · (reconnaissance)
|
Élevée
|
Moyen · 48
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 zgrab/0.x
Émulateur
HTTP
WAF
9
Recommandation
Surveiller
Tags
950470:nosqli-3
950734:sap-sapcontrol-path
net_web_probe
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8089
Chemin / cible
/
Pourquoi cette classification : Tags WAF: nosqli-3, sap-sapcontrol-path · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 48
Confiance : Confiance 100 % — 2 tag(s) WAF
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
ET zgrab fingerprint
UA zgrab
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 zgrab/0.x
Règles WAF
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8089
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "7b4be00556d7e6bfe311880770d4e1c76ac6f59e",
"http_host_hash": "6e7855f9d1ec5b350040e6a7fa2c7046d35c68a6",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 112,
"payload_entropy": 5.083704646093297,
"port_category": "registered",
"org": "OVH SAS",
"service": "http",
"app_proto": "http",
"asn": 16276,
"country": "RU",
"dst_port": 8089,
"risk_waf": 44,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.7,
"risk_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "3dcbd718aee25c603659d401ebc89ec17c0e8d26",
"event_fingerprint": "ba90420e23c65aee85f6aad281e4572aebff6d6e",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0594",
"pat-0458"
],
"matched_pattern_names": [
"ET zgrab fingerprint",
"UA zgrab"
],
"pattern_ids": [
"pat-0594",
"pat-0458"
],
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 48,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ef60d663d36db05cc1e68077f8a0f3fa",
"payload_hash": "d92e9af195da9d51503f7cfc50e8a760",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8089,
"service": "http",
"service_name": "http",
"risk_score": 48
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "448d5533a01bf301ea55c179dafdfd447a978b98",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 8089,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"attack_vector": "port scan syn \u00b7 via HTTP:8089 \u00b7 (reconnaissance)",
"target_port_label": "8089 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"classification_reason_label_fr": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 48,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8089,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 8089,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8089 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"target_port_label": "8089 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8089"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 5,
"port_scan_ports_sample": [
4567,
7547,
8080,
8085,
8089
],
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"aws-ecs-agent",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8085 · HTTP
|
http
|
Scan de ports
port scan syn · via HTTP:8085 · (reconnaissance)
|
Élevée
|
Moyen · 47
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 zgrab/0.x
Émulateur
HTTP
WAF
9
Recommandation
Surveiller
Tags
950470:nosqli-3
950734:sap-sapcontrol-path
net_web_probe
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8085
Chemin / cible
/
Pourquoi cette classification : Tags WAF: nosqli-3, sap-sapcontrol-path · confiance 100%
Confiance classification
100%
Corrélation +14
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 2 tag(s) WAF
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
ET zgrab fingerprint
UA zgrab
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 zgrab/0.x
Règles WAF
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8085
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "7b4be00556d7e6bfe311880770d4e1c76ac6f59e",
"http_host_hash": "8307e910dac7083f4f0d52abcc8375f89d55b254",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 112,
"payload_entropy": 5.059107436252552,
"port_category": "registered",
"org": "OVH SAS",
"service": "http",
"app_proto": "http",
"asn": 16276,
"country": "RU",
"dst_port": 8085,
"risk_waf": 44,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 47,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "695676f411c001dad49368f0d91e62d9922c1e85",
"event_fingerprint": "3ba3caf85b54604d2e5345c79177ef73dd4d9056",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0594",
"pat-0458"
],
"matched_pattern_names": [
"ET zgrab fingerprint",
"UA zgrab"
],
"pattern_ids": [
"pat-0594",
"pat-0458"
],
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 47,
"correlation_boost": 14
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ef60d663d36db05cc1e68077f8a0f3fa",
"payload_hash": "30ebfef5265d94efd52dfa1725158432",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8085,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "110c6b2a4f7aa94f7daa86d3cef66f7be0ce11dd",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 8085,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"attack_vector": "port scan syn \u00b7 via HTTP:8085 \u00b7 (reconnaissance)",
"target_port_label": "8085 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"classification_reason_label_fr": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 47,
"correlation_boost": 14
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8085,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +14",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 8085,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8085 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"target_port_label": "8085 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8085"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 4,
"port_scan_ports_sample": [
4567,
7547,
8080,
8085
],
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"aws-ecs-agent",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 14,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8080 · HTTP
|
http
|
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance)
|
Élevée
|
Moyen · 46
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 zgrab/0.x
Émulateur
HTTP
WAF
9
Recommandation
Surveiller
Tags
950470:nosqli-3
950734:sap-sapcontrol-path
net_web_probe
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8080
Chemin / cible
/
Pourquoi cette classification : Tags WAF: nosqli-3, sap-sapcontrol-path · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 46
Confiance : Confiance 100 % — 2 tag(s) WAF
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
ET zgrab fingerprint
UA zgrab
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 zgrab/0.x
Règles WAF
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "7b4be00556d7e6bfe311880770d4e1c76ac6f59e",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 112,
"payload_entropy": 5.051475713285826,
"port_category": "registered",
"org": "OVH SAS",
"service": "http",
"app_proto": "http",
"asn": 16276,
"country": "RU",
"dst_port": 8080,
"risk_waf": 44,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b1c1d63cb11f530ae59ec2181946dabedd690d9a",
"event_fingerprint": "e8d7e440ce64622852a586f753bfe5d0110d3e76",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0594",
"pat-0458"
],
"matched_pattern_names": [
"ET zgrab fingerprint",
"UA zgrab"
],
"pattern_ids": [
"pat-0594",
"pat-0458"
],
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ef60d663d36db05cc1e68077f8a0f3fa",
"payload_hash": "15db5e6ccbc8cf8875fac67e31c3f499",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2a8c39bd357204ae6b399709d08cfb8137a7951a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"classification_reason_label_fr": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 44,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"aws-ecs-agent",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
4567 · AWS ECS AGENT
|
aws-ecs-agent
|
Scan vulnérabilités
scanner vuln · via AWS ECS AGENT:4567 · (sonde / probe)
|
Élevée
|
Moyen · 49
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
AWS-ECS-AGENT
WAF
—
Recommandation
Surveiller
Tags
aws_ecs_agent_emulated
aws_ecs_agent_payload
http_get_probe
mozi_pattern
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
4567
Chemin / cible
—
Service
AWS ECS AGENT
Payload
GET / HTTP/1.1 Host: 62.3.50.33:4567 User-Agent: Mozilla/5.0 zgrab/0.x Accept: */* Accept-Encoding: gzip
Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 49
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0594
pat-0458
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
ET zgrab fingerprint
UA zgrab
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:4567
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206177735f6563735f6167656e7420726561647920706f72743d343536370d0a",
"emulator_response_len": 44,
"bytes_in": 112,
"payload_entropy": 5.0880816549832355,
"port_category": "registered",
"org": "OVH SAS",
"service": "aws-ecs-agent",
"app_proto": "aws-ecs-agent",
"asn": 16276,
"country": "RU",
"dst_port": 4567,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25
},
"risk_score": 49,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "51ebd422486eaae9d380a4b426af602a2fb5a6cc",
"event_fingerprint": "ed5db39ce4a1ce0fda50382d1438797185e5f337",
"classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 108,
"precision_signals": [
"pat-0594",
"pat-0458"
],
"kb_rule_ids": [
"pat-0594",
"pat-0458"
],
"matched_patterns": [
"pat-0594",
"pat-0458"
],
"matched_pattern_names": [
"ET zgrab fingerprint",
"UA zgrab"
],
"pattern_ids": [
"pat-0594",
"pat-0458"
],
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 49,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "vuln_scanner",
"service_name": "aws-ecs-agent",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2b62e1a5dc99586600e0ecc5d14565d4",
"path_pattern_hash": "b71c8aad2b015494f15e7bb035951b05"
},
"target_context": {
"dst_port": 4567,
"service": "aws-ecs-agent",
"service_name": "aws-ecs-agent",
"risk_score": 49
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3edeefbe4e92c5a06701e4a5b12264b7224f70ee",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"port": 4567,
"service": "aws-ecs-agent",
"service_label_fr": "AWS ECS AGENT"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"attack_vector": "scanner vuln \u00b7 via AWS ECS AGENT:4567 \u00b7 (sonde \/ probe)",
"target_port_label": "4567 \u00b7 AWS ECS AGENT",
"emulator_service": "aws-ecs-agent",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 49,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "aws-ecs-agent",
"service_label_fr": "AWS ECS AGENT",
"dst_port": 4567,
"protocol_emulated": true,
"tags_summary": [
"pat-0594",
"pat-0458"
],
"tags_summary_labels_fr": [
"pat-0594",
"pat-0458"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-aws-ecs-agent",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"port": 4567,
"service": "aws-ecs-agent",
"service_label_fr": "AWS ECS AGENT"
},
"attack_vector": "scanner vuln \u00b7 via AWS ECS AGENT:4567 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"target_port_label": "4567 \u00b7 AWS ECS AGENT",
"emulator_service": "aws-ecs-agent",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "aws_ecs_agent",
"service_banner": "honeypot-aws-ecs-agent",
"service_os": "linux",
"dst_port": "4567"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"aws-ecs-agent",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"aws_ecs_agent_emulated",
"aws_ecs_agent_payload",
"http_get_probe",
"mozi_pattern",
"net_cloud_scanner"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7547 · HTTP
|
http
|
Scan vulnérabilités
scanner vuln · via HTTP:7547 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA Mozilla/5.0 zgrab/0.x
Émulateur
HTTP
WAF
9
Recommandation
Surveiller
Tags
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
7547
Chemin / cible
/
Pourquoi cette classification : Tags WAF: nosqli-3, sap-sapcontrol-path · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — Motif catalogue confirmé · 2 tag(s) WAF
Signaux
pat-0594
pat-0458
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
ET zgrab fingerprint
UA zgrab
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 zgrab/0.x
Règles WAF
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:7547
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "7b4be00556d7e6bfe311880770d4e1c76ac6f59e",
"http_host_hash": "89d87453121897c0b4544fa397f8c826335c2714",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 112,
"payload_entropy": 5.0880816549832355,
"port_category": "registered",
"org": "OVH SAS",
"service": "http",
"app_proto": "http",
"asn": 16276,
"country": "RU",
"dst_port": 7547,
"risk_waf": 44,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 44,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 48,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "fc0531b7dcf11f6f1988f58d7f30f61926a9309d",
"event_fingerprint": "986353bc470389ce8fd34d587b920c685e27e0a3",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 108,
"precision_signals": [
"pat-0594",
"pat-0458"
],
"kb_rule_ids": [
"pat-0594",
"pat-0458"
],
"matched_patterns": [
"pat-0594",
"pat-0458"
],
"matched_pattern_names": [
"ET zgrab fingerprint",
"UA zgrab"
],
"pattern_ids": [
"pat-0594",
"pat-0458"
],
"confidence_breakdown": {
"waf": 44,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 48
},
"named_classification_skipped": false,
"classification_parent": "vuln_scanner",
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ef60d663d36db05cc1e68077f8a0f3fa",
"payload_hash": "b5850fa0422c1a3f54d66fa4cacae350",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 7547,
"service": "http",
"service_name": "http",
"risk_score": 48
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 zgrab\/0.x",
"waf_tags": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "56dbccd540a13ed9d616b9da159d5fe27d603287",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 7547,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"attack_vector": "scanner vuln \u00b7 via HTTP:7547 \u00b7 (sonde \/ probe)",
"target_port_label": "7547 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 95%",
"classification_reason_label_fr": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 44,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7547,
"protocol_emulated": null,
"tags_summary": [
"pat-0594",
"pat-0458"
],
"tags_summary_labels_fr": [
"pat-0594",
"pat-0458"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 zgrab\/0.x",
"port": 7547,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "scanner vuln \u00b7 via HTTP:7547 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"target_port_label": "7547 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 44 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7547"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5460 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:5460 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cc61f04eb7a2e049
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5460
Chemin / cible
—
Service
TLS
Payload
������������h�� �-��Y���&��l�hgͅ�Fv�H�al� TME 2[�9���qK�<'����vui��?��������������,�0����̨̩̪���������]�a�W�S���+�/��������
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������h�� �-��Y���&��l�hgͅ�Fv�H�al� TME 2[�9���qK�<'����vui��?��������������,�0����̨̩̪���������]�a�W�S���+�/��������
Requête brute (extrait)
������������h�� �-��Y���&��l�hgͅ�Fv�H�al� TME 2[�9���qK�<'����vui��?��������������,�0����̨̩̪���������]�a�W�S���+�/�������������\�`�V�R���$�(�k�j�s�w�����m���#�'�g�@�r�v�����l��� ���9�8�������:��� ���3�2�E�D���4�F�������Q�������P�=���<���5���/�A������
Meta JSON brut
{
"tls_ja3_hash": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 24,
"bytes_in": 517,
"payload_entropy": 5.024802760452281,
"port_category": "registered",
"org": "OVH SAS",
"service": "tls",
"app_proto": "tls",
"asn": 16276,
"country": "RU",
"dst_port": 5460,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "746c55b23b166b0a365595ab977f5e0aea5f05e1",
"event_fingerprint": "0ec653656c3cd8fc5ce59110ea0fbcc18bd95188",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"payload_hash": "f529abb4a2c11c276aa248ba0abd7b66",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 5460,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdh\u0015\ufffd\t\ufffd-\ufffd\u0011Y\u0006\ufffd\ufffd&\ufffd\ufffdl\u000ehg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[\u00109\ufffd\u0018\ufffdqK\u0004<'\ufffd\ufffd\u0011\ufffdvui\u001c\ufffd?\ufffd\b\ufffd\ufffd\u0012\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdh\u0015\ufffd\t\ufffd-\ufffd\u0011Y\u0006\ufffd\ufffd&\ufffd\ufffdl\u000ehg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[\u00109\ufffd\u0018\ufffdqK\u0004<'\ufffd\ufffd\u0011\ufffdvui\u001c\ufffd?\ufffd\b\ufffd\ufffd\u0012\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000E\u0000D\ufffd\u0018\u00004\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001\u0005",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdh\u0015\ufffd\t\ufffd-\ufffd\u0011Y\u0006\ufffd\ufffd&\ufffd\ufffdl\u000ehg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[\u00109\ufffd\u0018\ufffdqK\u0004<'\ufffd\ufffd\u0011\ufffdvui\u001c\ufffd?\ufffd\b\ufffd\ufffd\u0012\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8a6fe9a9e594bc6df7b23c4c708fd5df721f4ec6",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdh\u0015\ufffd\t\ufffd-\ufffd\u0011Y\u0006\ufffd\ufffd&\ufffd\ufffdl\u000ehg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[\u00109\ufffd\u0018\ufffdqK\u0004<'\ufffd\ufffd\u0011\ufffdvui\u001c\ufffd?\ufffd\b\ufffd\ufffd\u0012\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"tls_ja3": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"port": 5460,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdh\ufffd\t\ufffd-\ufffdY\ufffd\ufffd&\ufffd\ufffdlhg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[9\ufffd\ufffdqK<'\ufffd\ufffd\ufffdvui\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"attack_vector": "tls probe \u00b7 via TLS:5460 \u00b7 (sonde \/ probe)",
"target_port_label": "5460 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 5460,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdh\u0015\ufffd\t\ufffd-\ufffd\u0011Y\u0006\ufffd\ufffd&\ufffd\ufffdl\u000ehg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[\u00109\ufffd\u0018\ufffdqK\u0004<'\ufffd\ufffd\u0011\ufffdvui\u001c\ufffd?\ufffd\b\ufffd\ufffd\u0012\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"tls_ja3": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"port": 5460,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:5460 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdh\ufffd\t\ufffd-\ufffdY\ufffd\ufffd&\ufffd\ufffdlhg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[9\ufffd\ufffdqK<'\ufffd\ufffd\ufffdvui\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"target_port_label": "5460 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "5460"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:5460",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5460 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:5460 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cc61f04eb7a2e049
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5460
Chemin / cible
—
Service
TLS
Payload
�������������ï9�3��` c(���}�h��+i��!�9��@� ��q�Ao���<t| F��=� �\�K��kZ���)����������,�0����̨̩̪���������]�a�W�S���+�/��������
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������ï9�3��`
c(���}�h��+i��!�9��@� ��q�Ao���<t|
F��=���\�K��kZ���)����������,�0����̨̩̪���������]�a�W�S���+�/��������
Requête brute (extrait)
�������������ï9�3��` c(���}�h��+i��!�9��@� ��q�Ao���<t| F��=� �\�K��kZ���)����������,�0����̨̩̪���������]�a�W�S���+�/�������������\�`�V�R���$�(�k�j�s�w�����m���#�'�g�@�r�v�����l��� ���9�8�������:��� ���3�2�E�D���4�F�������Q�������P�=���<���5���/�A������
Meta JSON brut
{
"tls_ja3_hash": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 24,
"bytes_in": 517,
"payload_entropy": 5.0654042279435245,
"port_category": "registered",
"org": "OVH SAS",
"service": "tls",
"app_proto": "tls",
"asn": 16276,
"country": "RU",
"dst_port": 5460,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "746c55b23b166b0a365595ab977f5e0aea5f05e1",
"event_fingerprint": "0ec653656c3cd8fc5ce59110ea0fbcc18bd95188",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"payload_hash": "a3b699a1d25d1ecf7d78a62d0516e8df",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 5460,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd<t|\nF\ufffd\ufffd=\ufffd\u000b\ufffd\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd<t|\nF\ufffd\ufffd=\ufffd\u000b\ufffd\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000E\u0000D\ufffd\u0018\u00004\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001\u0005",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd<t|\nF\ufffd\ufffd=\ufffd\u000b\ufffd\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd<t|\nF\ufffd\ufffd=\ufffd\u000b\ufffd\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000E\u0000D\ufffd\u0018\u00004\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001\u0005",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd<t|\nF\ufffd\ufffd=\ufffd\u000b\ufffd\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5dc02ff53099bb3c00bfccc92c50374bb49f7c0b",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd<t|\nF\ufffd\ufffd=\ufffd\u000b\ufffd\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"tls_ja3": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"port": 5460,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\u00ef9\ufffd3\ufffd\ufffd`\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd<t|\nF\ufffd\ufffd=\ufffd\ufffd\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"attack_vector": "tls probe \u00b7 via TLS:5460 \u00b7 (sonde \/ probe)",
"target_port_label": "5460 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 5460,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd<t|\nF\ufffd\ufffd=\ufffd\u000b\ufffd\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"tls_ja3": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"port": 5460,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:5460 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\u00ef9\ufffd3\ufffd\ufffd`\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd<t|\nF\ufffd\ufffd=\ufffd\ufffd\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"target_port_label": "5460 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "5460"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:5460",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5460
|
—
|
Sonde HTTP smuggling
http smuggling probe · port 5460 · (tentative d'exploit)
|
Faible
|
Moyen · 52
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
WAF
—
Recommandation
Investiguer
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5460
Chemin / cible
—
Payload
REGISTER sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.127:33442;branch=z9hG4bK-34314 Max-Forwards: 70 Call-ID: c6a0c1e1
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 52
Confiance : Confiance 95 % — Motif catalogue confirmé
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
SIP protocol
User-Agent
—
Règles WAF
—
Payload (extrait)
REGISTER sip:62.3.50.33 SIP/2.0
Via: SIP/2.0/TCP 192.168.10.127:33442;branch=z9hG4bK-34314
Max-Forwards: 70
Call-ID: c6a0c1e1
Requête brute (extrait)
REGISTER sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.127:33442;branch=z9hG4bK-34314 Max-Forwards: 70 Call-ID: c6a0c1e1-001e-4a9a-887a-4cb5d0637c59 Content-Length: 0 To: <sip:52738570472@62.3.50.33> From: <sip:52738570472@192.168.10.127>;tag=59
Meta JSON brut
{
"bytes_in": 345,
"payload_entropy": 5.344543586395236,
"port_category": "registered",
"org": "OVH SAS",
"service": null,
"app_proto": null,
"asn": 16276,
"country": "RU",
"dst_port": 5460,
"risk_waf": 8,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 0.6,
"risk_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 15
},
"risk_score": 52,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "35fb90409aea30624a7ccc0f67ebfe8311bb2272",
"event_fingerprint": "3e4e54a14b1e9a792dd3f6fe3666942486471606",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0384"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"SIP protocol"
],
"pattern_ids": [
"pat-0842",
"pat-0384"
],
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 15,
"risk_score": 52,
"correlation_boost": 8
},
"named_classification_skipped": false,
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "67d26fbb99e7a325a5cb0b7e2d648f52",
"path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a"
},
"target_context": {
"dst_port": 5460,
"risk_score": 52
},
"payload_preview": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\r\nMax-Forwards: 70\r\nCall-ID: c6a0c1e1",
"request_sample": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\r\nMax-Forwards: 70\r\nCall-ID: c6a0c1e1-001e-4a9a-887a-4cb5d0637c59\r\nContent-Length: 0\r\nTo: <sip:52738570472@62.3.50.33>\r\nFrom: <sip:52738570472@192.168.10.127>;tag=59",
"payload_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\r\nMax-Forwards: 70\r\nCall-ID: c6a0c1e1",
"evidence": {
"request_sample": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\r\nMax-Forwards: 70\r\nCall-ID: c6a0c1e1-001e-4a9a-887a-4cb5d0637c59\r\nContent-Length: 0\r\nTo: <sip:52738570472@62.3.50.33>\r\nFrom: <sip:52738570472@192.168.10.127>;tag=59",
"payload_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\r\nMax-Forwards: 70\r\nCall-ID: c6a0c1e1",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2f920aab38e35a635872e7aa81f829fa79ec2deb",
"protocol_details": {
"payload_preview": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\r\nMax-Forwards: 70\r\nCall-ID: c6a0c1e1",
"port": 5460
},
"evidence_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\r\nMax-Forwards: 70\r\nCall-ID: c6a0c1e1",
"attack_vector": "http smuggling probe \u00b7 port 5460 \u00b7 (tentative d'exploit)",
"target_port_label": "5460",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 multi-protocole (3 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 15,
"risk_score": 52,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 52,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 5460,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\r\nMax-Forwards: 70\r\nCall-ID: c6a0c1e1",
"port": 5460
},
"attack_vector": "http smuggling probe \u00b7 port 5460 \u00b7 (tentative d'exploit)",
"evidence_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\r\nMax-Forwards: 70\r\nCall-ID: c6a0c1e1",
"target_port_label": "5460",
"emulator_service": null,
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "5460"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:5460",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"asn_dc_heuristic": true
}
|
|
|
TCP |
5460 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:5460 · (tentative d'exploit) · → sip:62.3.50.33
|
Élevée
|
Élevé · 66
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
OPTIONS sip:62.3.50.33
Émulateur
HTTP
WAF
28
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950382:rce-14
950470:nosqli-3
Cible HTTP
OPTIONS
sip:62.3.50.33
TLS SNI
—
Capteur
paris-1
|
Méthode
OPTIONS
Port
5460
Chemin / cible
sip:62.3.50.33
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 95 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
SIP protocol
Ligne de requête
OPTIONS sip:62.3.50.33 HTTP/1.1
User-Agent
—
Règles WAF
lfi-14
rce-0
rce-14
nosqli-3
Payload (extrait)
OPTIONS sip:62.3.50.33 SIP/2.0
Via: SIP/2.0/TCP 192.168.10.82:33374;branch=z9hG4bK-63388
Max-Forwards: 70
Call-ID: d46be445-0
Requête brute (extrait)
OPTIONS sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.82:33374;branch=z9hG4bK-63388 Max-Forwards: 70 Call-ID: d46be445-0aba-4679-8827-26cea8745b16 Content-Length: 0 To: <sip:62.3.50.33> From: <sip:87386788069@192.168.10.82>;tag=8136 CSeq: 1 OPT
Meta JSON brut
{
"http_header_count": 9,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "33",
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "a93b9fae74730e34a8148a6bdc278533115dc4a8",
"http_referer_hash": null,
"http_method": "OPTIONS",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 337,
"payload_entropy": 5.373446938121617,
"port_category": "registered",
"org": "OVH SAS",
"service": "http",
"app_proto": "http",
"asn": 16276,
"country": "RU",
"dst_port": 5460,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "78fe0ed4f7c10a1484d2bacac8c87d321d4a38e4",
"event_fingerprint": "b6db3128c005ca7a6003459f003fc31aa2dffd60",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0384"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"SIP protocol"
],
"pattern_ids": [
"pat-0842",
"pat-0384"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ad40176df1fe8283ea2730d49383a6a0",
"path_pattern_hash": "54f584808f270c653072560c766be65a"
},
"target_context": {
"dst_port": 5460,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\r\nMax-Forwards: 70\r\nCall-ID: d46be445-0",
"method": "OPTIONS",
"path": "sip:62.3.50.33",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950382:rce-14",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"nosqli-3"
],
"request_line": "OPTIONS sip:62.3.50.33 HTTP\/1.1",
"request_sample": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\r\nMax-Forwards: 70\r\nCall-ID: d46be445-0aba-4679-8827-26cea8745b16\r\nContent-Length: 0\r\nTo: <sip:62.3.50.33>\r\nFrom: <sip:87386788069@192.168.10.82>;tag=8136\r\nCSeq: 1 OPT",
"payload_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\r\nMax-Forwards: 70\r\nCall-ID: d46be445-0",
"evidence": {
"method": "OPTIONS",
"path": "sip:62.3.50.33",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950382:rce-14",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"nosqli-3"
],
"request_line": "OPTIONS sip:62.3.50.33 HTTP\/1.1",
"request_sample": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\r\nMax-Forwards: 70\r\nCall-ID: d46be445-0aba-4679-8827-26cea8745b16\r\nContent-Length: 0\r\nTo: <sip:62.3.50.33>\r\nFrom: <sip:87386788069@192.168.10.82>;tag=8136\r\nCSeq: 1 OPT",
"payload_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\r\nMax-Forwards: 70\r\nCall-ID: d46be445-0",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3847e158484f1aadaa336401b0b32e9806ac0b72",
"protocol_details": {
"http_method": "OPTIONS",
"http_path": "sip:62.3.50.33",
"request_line": "OPTIONS sip:62.3.50.33 HTTP\/1.1",
"port": 5460,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\r\nMax-Forwards: 70\r\nCall-ID: d46be445-0",
"attack_vector": "http smuggling probe \u00b7 via HTTP:5460 \u00b7 (tentative d'exploit) \u00b7 \u2192 sip:62.3.50.33",
"target_port_label": "5460 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 5460,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "OPTIONS",
"http_path": "sip:62.3.50.33",
"request_line": "OPTIONS sip:62.3.50.33 HTTP\/1.1",
"port": 5460,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:5460 \u00b7 (tentative d'exploit) \u00b7 \u2192 sip:62.3.50.33",
"evidence_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\r\nMax-Forwards: 70\r\nCall-ID: d46be445-0",
"target_port_label": "5460 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "5460"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:5260",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950382:rce-14",
"950470:nosqli-3",
"http_no_ua"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
5260 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:5260 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cc61f04eb7a2e049
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5260
Chemin / cible
—
Service
TLS
Payload
�����������ʑR�x.G�,�3���QNt �A�=!ؼK��}�� )�ѕ"�S��c�єP��T�ٸ�g�^)8��L�Gk���������,�0����̨̩̪���������]�a�W�S���+�/��������
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������ʑR�x.G�,�3���QNt��A�=!ؼK��}�� )�ѕ"�S��c�єP��T�ٸ�g�^)8��L�Gk���������,�0����̨̩̪���������]�a�W�S���+�/��������
Requête brute (extrait)
�����������ʑR�x.G�,�3���QNt �A�=!ؼK��}�� )�ѕ"�S��c�єP��T�ٸ�g�^)8��L�Gk���������,�0����̨̩̪���������]�a�W�S���+�/�������������\�`�V�R���$�(�k�j�s�w�����m���#�'�g�@�r�v�����l��� ���9�8�������:��� ���3�2�E�D���4�F�������Q�������P�=���<���5���/�A������
Meta JSON brut
{
"tls_ja3_hash": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 24,
"bytes_in": 517,
"payload_entropy": 5.066284882808564,
"port_category": "registered",
"org": "OVH SAS",
"service": "tls",
"app_proto": "tls",
"asn": 16276,
"country": "RU",
"dst_port": 5260,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "e5148bdfe6a1bff0ccf7c6f590968ebc05bedb8e",
"event_fingerprint": "ddae32505acafdc7a824386068e014572fcc2e2e",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"payload_hash": "f0d9b8e047f2ad81737de211af31c132",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 5260,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\u001a\ufffd\u001eQNt\f\ufffdA\u0011=!\u063cK\u001e\ufffd}\u0007\ufffd )\ufffd\u0455\"\u0011S\ufffd\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\u0007g\ufffd^)8\ufffd\ufffdL\u001aGk\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\u001a\ufffd\u001eQNt\f\ufffdA\u0011=!\u063cK\u001e\ufffd}\u0007\ufffd )\ufffd\u0455\"\u0011S\ufffd\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\u0007g\ufffd^)8\ufffd\ufffdL\u001aGk\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000E\u0000D\ufffd\u0018\u00004\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001\u0005",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\u001a\ufffd\u001eQNt\f\ufffdA\u0011=!\u063cK\u001e\ufffd}\u0007\ufffd )\ufffd\u0455\"\u0011S\ufffd\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\u0007g\ufffd^)8\ufffd\ufffdL\u001aGk\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\u001a\ufffd\u001eQNt\f\ufffdA\u0011=!\u063cK\u001e\ufffd}\u0007\ufffd )\ufffd\u0455\"\u0011S\ufffd\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\u0007g\ufffd^)8\ufffd\ufffdL\u001aGk\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000E\u0000D\ufffd\u0018\u00004\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001\u0005",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\u001a\ufffd\u001eQNt\f\ufffdA\u0011=!\u063cK\u001e\ufffd}\u0007\ufffd )\ufffd\u0455\"\u0011S\ufffd\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\u0007g\ufffd^)8\ufffd\ufffdL\u001aGk\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "13a5448220366f9a32fbeed551d5df7029b8d939",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\u001a\ufffd\u001eQNt\f\ufffdA\u0011=!\u063cK\u001e\ufffd}\u0007\ufffd )\ufffd\u0455\"\u0011S\ufffd\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\u0007g\ufffd^)8\ufffd\ufffdL\u001aGk\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"tls_ja3": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"port": 5260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\u0291R\ufffdx.G\ufffd,\ufffd3\ufffdQNt\ufffdA=!\u063cK\ufffd}\ufffd )\ufffd\u0455\"S\ufffdc\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678g\ufffd^)8\ufffd\ufffdLGk\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"attack_vector": "tls probe \u00b7 via TLS:5260 \u00b7 (sonde \/ probe)",
"target_port_label": "5260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 5260,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\u001a\ufffd\u001eQNt\f\ufffdA\u0011=!\u063cK\u001e\ufffd}\u0007\ufffd )\ufffd\u0455\"\u0011S\ufffd\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\u0007g\ufffd^)8\ufffd\ufffdL\u001aGk\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"tls_ja3": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"port": 5260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:5260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\u0291R\ufffdx.G\ufffd,\ufffd3\ufffdQNt\ufffdA=!\u063cK\ufffd}\ufffd )\ufffd\u0455\"S\ufffdc\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678g\ufffd^)8\ufffd\ufffdLGk\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"target_port_label": "5260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "5260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:5260",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5260 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:5260 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cc61f04eb7a2e049
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5260
Chemin / cible
—
Service
TLS
Payload
�����������ֹEa�O�d��TK��ܡW�O���������M��� J���l�%��T�����$��YG��qn��{�� ���������,�0����̨̩̪���������]�a�W�S���+�/��������
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������ֹEa�O�d��TK��ܡW�O���������M��� J���l�%��T�����$��YG��qn��{������������,�0����̨̩̪���������]�a�W�S���+�/��������
Requête brute (extrait)
�����������ֹEa�O�d��TK��ܡW�O���������M��� J���l�%��T�����$��YG��qn��{�� ���������,�0����̨̩̪���������]�a�W�S���+�/�������������\�`�V�R���$�(�k�j�s�w�����m���#�'�g�@�r�v�����l��� ���9�8�������:��� ���3�2�E�D���4�F�������Q�������P�=���<���5���/�A������
Meta JSON brut
{
"tls_ja3_hash": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 24,
"bytes_in": 517,
"payload_entropy": 5.072341519576699,
"port_category": "registered",
"org": "OVH SAS",
"service": "tls",
"app_proto": "tls",
"asn": 16276,
"country": "RU",
"dst_port": 5260,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "e5148bdfe6a1bff0ccf7c6f590968ebc05bedb8e",
"event_fingerprint": "ddae32505acafdc7a824386068e014572fcc2e2e",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"payload_hash": "b222237c26d76bfb8f65d1a739c429f9",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 5260,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u05b9Ea\u0004O\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000M\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\u001a\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYG\u0012\u001cqn\ufffd\ufffd{\ufffd\u0005\u000b\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u05b9Ea\u0004O\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000M\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\u001a\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYG\u0012\u001cqn\ufffd\ufffd{\ufffd\u0005\u000b\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000E\u0000D\ufffd\u0018\u00004\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001\u0005",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u05b9Ea\u0004O\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000M\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\u001a\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYG\u0012\u001cqn\ufffd\ufffd{\ufffd\u0005\u000b\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5105e06ec1f1c36e8a709fea16980e651633ba6d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u05b9Ea\u0004O\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000M\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\u001a\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYG\u0012\u001cqn\ufffd\ufffd{\ufffd\u0005\u000b\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"tls_ja3": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"port": 5260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\u05b9EaO\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYGqn\ufffd\ufffd{\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"attack_vector": "tls probe \u00b7 via TLS:5260 \u00b7 (sonde \/ probe)",
"target_port_label": "5260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 5260,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u05b9Ea\u0004O\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000M\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\u001a\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYG\u0012\u001cqn\ufffd\ufffd{\ufffd\u0005\u000b\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"tls_ja3": "cc61f04eb7a2e049ef5095a5eb5a4ae0",
"port": 5260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:5260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\u05b9EaO\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYGqn\ufffd\ufffd{\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"target_port_label": "5260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "5260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:5260",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5260
|
—
|
Sonde HTTP smuggling
http smuggling probe · port 5260 · (tentative d'exploit)
|
Faible
|
Moyen · 52
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
WAF
—
Recommandation
Investiguer
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5260
Chemin / cible
—
Payload
REGISTER sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.69:36614;branch=z9hG4bK-34318 Max-Forwards: 70 Call-ID: 1005620f-
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 52
Confiance : Confiance 95 % — Motif catalogue confirmé
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
SIP protocol
User-Agent
—
Règles WAF
—
Payload (extrait)
REGISTER sip:62.3.50.33 SIP/2.0
Via: SIP/2.0/TCP 192.168.10.69:36614;branch=z9hG4bK-34318
Max-Forwards: 70
Call-ID: 1005620f-
Requête brute (extrait)
REGISTER sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.69:36614;branch=z9hG4bK-34318 Max-Forwards: 70 Call-ID: 1005620f-31e6-473e-900a-c3a2d63966ca Content-Length: 0 To: <sip:57557315659@62.3.50.33> From: <sip:57557315659@192.168.10.69>;tag=3267
Meta JSON brut
{
"bytes_in": 342,
"payload_entropy": 5.318814976358084,
"port_category": "registered",
"org": "OVH SAS",
"service": null,
"app_proto": null,
"asn": 16276,
"country": "RU",
"dst_port": 5260,
"risk_waf": 8,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 15
},
"risk_score": 52,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "b4610eb050847ed96c6cd81e6a71c41e70502810",
"event_fingerprint": "970a602c9cb9139334731e2a834b5c2a7f773580",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0384"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"SIP protocol"
],
"pattern_ids": [
"pat-0842",
"pat-0384"
],
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 15,
"risk_score": 52,
"correlation_boost": 8
},
"named_classification_skipped": false,
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d91c15d35e6a8e4f68d0ba796cfe3a98",
"path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a"
},
"target_context": {
"dst_port": 5260,
"risk_score": 52
},
"payload_preview": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\r\nMax-Forwards: 70\r\nCall-ID: 1005620f-",
"request_sample": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\r\nMax-Forwards: 70\r\nCall-ID: 1005620f-31e6-473e-900a-c3a2d63966ca\r\nContent-Length: 0\r\nTo: <sip:57557315659@62.3.50.33>\r\nFrom: <sip:57557315659@192.168.10.69>;tag=3267",
"payload_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\r\nMax-Forwards: 70\r\nCall-ID: 1005620f-",
"evidence": {
"request_sample": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\r\nMax-Forwards: 70\r\nCall-ID: 1005620f-31e6-473e-900a-c3a2d63966ca\r\nContent-Length: 0\r\nTo: <sip:57557315659@62.3.50.33>\r\nFrom: <sip:57557315659@192.168.10.69>;tag=3267",
"payload_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\r\nMax-Forwards: 70\r\nCall-ID: 1005620f-",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2c0d1b9351991598e87e135da7ced06797c39e5f",
"protocol_details": {
"payload_preview": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\r\nMax-Forwards: 70\r\nCall-ID: 1005620f-",
"port": 5260
},
"evidence_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\r\nMax-Forwards: 70\r\nCall-ID: 1005620f-",
"attack_vector": "http smuggling probe \u00b7 port 5260 \u00b7 (tentative d'exploit)",
"target_port_label": "5260",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 multi-protocole (3 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 15,
"risk_score": 52,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 52,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 5260,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\r\nMax-Forwards: 70\r\nCall-ID: 1005620f-",
"port": 5260
},
"attack_vector": "http smuggling probe \u00b7 port 5260 \u00b7 (tentative d'exploit)",
"evidence_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\r\nMax-Forwards: 70\r\nCall-ID: 1005620f-",
"target_port_label": "5260",
"emulator_service": null,
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "5260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:5260",
"sip-tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"asn_dc_heuristic": true
}
|
|
|
TCP |
5260 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:5260 · (tentative d'exploit) · → sip:62.3.50.33
|
Élevée
|
Élevé · 69
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
OPTIONS sip:62.3.50.33
Émulateur
HTTP
WAF
28
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950382:rce-14
950470:nosqli-3
Cible HTTP
OPTIONS
sip:62.3.50.33
TLS SNI
—
Capteur
paris-1
|
Méthode
OPTIONS
Port
5260
Chemin / cible
sip:62.3.50.33
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 69
Confiance : Confiance 95 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
SIP protocol
Ligne de requête
OPTIONS sip:62.3.50.33 HTTP/1.1
User-Agent
—
Règles WAF
lfi-14
rce-0
rce-14
nosqli-3
Payload (extrait)
OPTIONS sip:62.3.50.33 SIP/2.0
Via: SIP/2.0/TCP 192.168.10.173:36568;branch=z9hG4bK-54489
Max-Forwards: 70
Call-ID: 45182d51-
Requête brute (extrait)
OPTIONS sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.173:36568;branch=z9hG4bK-54489 Max-Forwards: 70 Call-ID: 45182d51-18cf-4ab1-a609-51d86ad052e1 Content-Length: 0 To: <sip:62.3.50.33> From: <sip:74893980198@192.168.10.173>;tag=40302 CSeq: 1
Meta JSON brut
{
"http_header_count": 9,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "33",
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "a93b9fae74730e34a8148a6bdc278533115dc4a8",
"http_referer_hash": null,
"http_method": "OPTIONS",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 341,
"payload_entropy": 5.388625332383987,
"port_category": "registered",
"org": "OVH SAS",
"service": "http",
"app_proto": "http",
"asn": 16276,
"country": "RU",
"dst_port": 5260,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 69,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "50fdb8d477ace93e66ff7c1364cf4f601128a6b1",
"event_fingerprint": "ca42298ba458ba3fb6d68b92aba0722e0bf80945",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0384"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"SIP protocol"
],
"pattern_ids": [
"pat-0842",
"pat-0384"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 69,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2e5c34aaf569a10cf86a6507ef227e11",
"path_pattern_hash": "54f584808f270c653072560c766be65a"
},
"target_context": {
"dst_port": 5260,
"service": "http",
"service_name": "http",
"risk_score": 69
},
"payload_preview": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\r\nMax-Forwards: 70\r\nCall-ID: 45182d51-",
"method": "OPTIONS",
"path": "sip:62.3.50.33",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950382:rce-14",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"nosqli-3"
],
"request_line": "OPTIONS sip:62.3.50.33 HTTP\/1.1",
"request_sample": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\r\nMax-Forwards: 70\r\nCall-ID: 45182d51-18cf-4ab1-a609-51d86ad052e1\r\nContent-Length: 0\r\nTo: <sip:62.3.50.33>\r\nFrom: <sip:74893980198@192.168.10.173>;tag=40302\r\nCSeq: 1 ",
"payload_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\r\nMax-Forwards: 70\r\nCall-ID: 45182d51-",
"evidence": {
"method": "OPTIONS",
"path": "sip:62.3.50.33",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950382:rce-14",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"nosqli-3"
],
"request_line": "OPTIONS sip:62.3.50.33 HTTP\/1.1",
"request_sample": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\r\nMax-Forwards: 70\r\nCall-ID: 45182d51-18cf-4ab1-a609-51d86ad052e1\r\nContent-Length: 0\r\nTo: <sip:62.3.50.33>\r\nFrom: <sip:74893980198@192.168.10.173>;tag=40302\r\nCSeq: 1 ",
"payload_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\r\nMax-Forwards: 70\r\nCall-ID: 45182d51-",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f0fc17961a91f66fec5c90c54d279b8cf2c0be13",
"protocol_details": {
"http_method": "OPTIONS",
"http_path": "sip:62.3.50.33",
"request_line": "OPTIONS sip:62.3.50.33 HTTP\/1.1",
"port": 5260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\r\nMax-Forwards: 70\r\nCall-ID: 45182d51-",
"attack_vector": "http smuggling probe \u00b7 via HTTP:5260 \u00b7 (tentative d'exploit) \u00b7 \u2192 sip:62.3.50.33",
"target_port_label": "5260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 69,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 69,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 5260,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "OPTIONS",
"http_path": "sip:62.3.50.33",
"request_line": "OPTIONS sip:62.3.50.33 HTTP\/1.1",
"port": 5260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:5260 \u00b7 (tentative d'exploit) \u00b7 \u2192 sip:62.3.50.33",
"evidence_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\r\nMax-Forwards: 70\r\nCall-ID: 45182d51-",
"target_port_label": "5260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "5260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"sip-tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950382:rce-14",
"950470:nosqli-3",
"http_no_ua"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
5061 · SIP TLS
|
sip-tls
|
Sonde SIP/VoIP
sip voip probe · via SIP TLS:5061 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SIP-TLS
WAF
—
Recommandation
Surveiller
Tags
net_sip_voip_probe
sip_tls_emulated
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5061
Chemin / cible
—
Service
SIP TLS
Payload
�����������!��J��B��;���^ѩ�cr�J]�2��<�X��1 "���;�s�!S�_��sp��ݺ���k���4��m���������,�0����̨̩̪���������]�a�W�S���+�/��������
Pourquoi cette classification : Type « sip_voip_probe » (signaux protocolaires) · confiance 67%
Confiance classification
67%
Risque capteur
Moyen
· 45
Confiance : Confiance 67 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0578
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Minecraft varint handshake
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������!��J��B��;���^ѩ�cr�J]�2��<�X��1 "���;�s�!S�_��sp��ݺ���k���4��m���������,�0����̨̩̪���������]�a�W�S���+�/��������
Requête brute (extrait)
�����������!��J��B��;���^ѩ�cr�J]�2��<�X��1 "���;�s�!S�_��sp��ݺ���k���4��m���������,�0����̨̩̪���������]�a�W�S���+�/�������������\�`�V�R���$�(�k�j�s�w�����m���#�'�g�@�r�v�����l��� ���9�8�������:��� ���3�2�E�D���4�F�������Q�������P�=���<���5���/�A������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "15030300020228",
"emulator_response_len": 7,
"bytes_in": 517,
"payload_entropy": 5.031238687058579,
"port_category": "registered",
"org": "OVH SAS",
"service": "sip-tls",
"app_proto": "sip-tls",
"asn": 16276,
"country": "RU",
"dst_port": 5061,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "554e11b9302bdfcd540c45a1cf923952ca5dba5a",
"event_fingerprint": "023bc9d1c35abdce99228ec210a0d9707a172294",
"classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 75,
"precision_signals": [
"pat-0578",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0578",
"INT-upstream"
],
"matched_patterns": [
"pat-0554",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"Minecraft varint handshake",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0554",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45
},
"named_classification_skipped": false,
"service_name": "sip-tls",
"risk_confidence_factor": 67,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a62803534f5d132040318e69f8c1a439",
"path_pattern_hash": "12e58fcb9ae07c2755694e8888ea070c"
},
"target_context": {
"dst_port": 5061,
"service": "sip-tls",
"service_name": "sip-tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd<\ufffdX\u0010\ufffd1 \"\ufffd\ufffd\ufffd;\ufffds\ufffd!S\u001f_\ufffd\ufffdsp\ufffd\ufffd\u077a\u0016\ufffd\ufffdk\ufffd\ufffd\u001d4\ufffd\ufffdm\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd<\ufffdX\u0010\ufffd1 \"\ufffd\ufffd\ufffd;\ufffds\ufffd!S\u001f_\ufffd\ufffdsp\ufffd\ufffd\u077a\u0016\ufffd\ufffdk\ufffd\ufffd\u001d4\ufffd\ufffdm\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000E\u0000D\ufffd\u0018\u00004\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001\u0005",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd<\ufffdX\u0010\ufffd1 \"\ufffd\ufffd\ufffd;\ufffds\ufffd!S\u001f_\ufffd\ufffdsp\ufffd\ufffd\u077a\u0016\ufffd\ufffdk\ufffd\ufffd\u001d4\ufffd\ufffdm\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "eac03306fa76fa62462283f8442757b474a4ba55",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd<\ufffdX\u0010\ufffd1 \"\ufffd\ufffd\ufffd;\ufffds\ufffd!S\u001f_\ufffd\ufffdsp\ufffd\ufffd\u077a\u0016\ufffd\ufffdk\ufffd\ufffd\u001d4\ufffd\ufffdm\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"port": 5061,
"service": "sip-tls",
"service_label_fr": "SIP TLS"
},
"evidence_snippet": "\ufffd!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd<\ufffdX\ufffd1 \"\ufffd\ufffd\ufffd;\ufffds\ufffd!S_\ufffd\ufffdsp\ufffd\ufffd\u077a\ufffd\ufffdk\ufffd\ufffd4\ufffd\ufffdm\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"attack_vector": "sip voip probe \u00b7 via SIP TLS:5061 \u00b7 (sonde \/ probe)",
"target_port_label": "5061 \u00b7 SIP TLS",
"emulator_service": "sip-tls",
"confidence_reason": "Confiance 67 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%",
"classification_reason_label_fr": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "sip-tls",
"service_label_fr": "SIP TLS",
"dst_port": 5061,
"protocol_emulated": true,
"tags_summary": [
"pat-0578",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0578",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-sip-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd<\ufffdX\u0010\ufffd1 \"\ufffd\ufffd\ufffd;\ufffds\ufffd!S\u001f_\ufffd\ufffdsp\ufffd\ufffd\u077a\u0016\ufffd\ufffdk\ufffd\ufffd\u001d4\ufffd\ufffdm\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"port": 5061,
"service": "sip-tls",
"service_label_fr": "SIP TLS"
},
"attack_vector": "sip voip probe \u00b7 via SIP TLS:5061 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd<\ufffdX\ufffd1 \"\ufffd\ufffd\ufffd;\ufffds\ufffd!S_\ufffd\ufffdsp\ufffd\ufffd\u077a\ufffd\ufffdk\ufffd\ufffd4\ufffd\ufffdm\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"target_port_label": "5061 \u00b7 SIP TLS",
"emulator_service": "sip-tls",
"confidence_reason": "Confiance 67 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "sip_tls",
"service_banner": "honeypot-sip-tls",
"service_os": "linux",
"dst_port": "5061"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_sip_voip_probe",
"sip_tls_emulated",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5061 · SIP TLS
|
sip-tls
|
Sonde SIP/VoIP
sip voip probe · via SIP TLS:5061 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SIP-TLS
WAF
—
Recommandation
Surveiller
Tags
net_sip_voip_probe
sip_tls_emulated
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5061
Chemin / cible
—
Service
SIP TLS
Payload
������������-�nޖ-�rD��$u��� ;Ũݶ!IdW 4Ϛm ^�⪓�|�XnL��EEŢ 2ۜ��s���0\ٔ����������,�0����̨̩̪���������]�a�W�S���+�/��������
Pourquoi cette classification : Type « sip_voip_probe » (signaux protocolaires) · confiance 67%
Confiance classification
67%
Risque capteur
Moyen
· 45
Confiance : Confiance 67 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0578
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Minecraft varint handshake
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������-�nޖ-�rD��$u����;Ũݶ!IdW 4Ϛm ^�⪓�|�XnL��EEŢ 2ۜ��s���0\ٔ����������,�0����̨̩̪���������]�a�W�S���+�/��������
Requête brute (extrait)
������������-�nޖ-�rD��$u��� ;Ũݶ!IdW 4Ϛm ^�⪓�|�XnL��EEŢ 2ۜ��s���0\ٔ����������,�0����̨̩̪���������]�a�W�S���+�/�������������\�`�V�R���$�(�k�j�s�w�����m���#�'�g�@�r�v�����l��� ���9�8�������:��� ���3�2�E�D���4�F�������Q�������P�=���<���5���/�A������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "15030300020228",
"emulator_response_len": 7,
"bytes_in": 517,
"payload_entropy": 5.074965604166476,
"port_category": "registered",
"org": "OVH SAS",
"service": "sip-tls",
"app_proto": "sip-tls",
"asn": 16276,
"country": "RU",
"dst_port": 5061,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "554e11b9302bdfcd540c45a1cf923952ca5dba5a",
"event_fingerprint": "023bc9d1c35abdce99228ec210a0d9707a172294",
"classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 75,
"precision_signals": [
"pat-0578",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0578",
"INT-upstream"
],
"matched_patterns": [
"pat-0554",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"Minecraft varint handshake",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0554",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45
},
"named_classification_skipped": false,
"service_name": "sip-tls",
"risk_confidence_factor": 67,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5a79e7242f70e4b79975d9513030e769",
"path_pattern_hash": "12e58fcb9ae07c2755694e8888ea070c"
},
"target_context": {
"dst_port": 5061,
"service": "sip-tls",
"service_name": "sip-tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\u001f\ufffd\ufffd\f;\u0168\u0776!IdW\t4\u03dam ^\ufffd\u2a93\ufffd|\u0011XnL\ufffd\u0018EE\u0162\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\u0654\ufffd\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\u001f\ufffd\ufffd\f;\u0168\u0776!IdW\t4\u03dam ^\ufffd\u2a93\ufffd|\u0011XnL\ufffd\u0018EE\u0162\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\u0654\ufffd\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000E\u0000D\ufffd\u0018\u00004\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001\u0005",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\u001f\ufffd\ufffd\f;\u0168\u0776!IdW\t4\u03dam ^\ufffd\u2a93\ufffd|\u0011XnL\ufffd\u0018EE\u0162\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\u0654\ufffd\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "70dd78017047af9a1c74444b3ec893f34e5a0bd4",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\u001f\ufffd\ufffd\f;\u0168\u0776!IdW\t4\u03dam ^\ufffd\u2a93\ufffd|\u0011XnL\ufffd\u0018EE\u0162\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\u0654\ufffd\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"port": 5061,
"service": "sip-tls",
"service_label_fr": "SIP TLS"
},
"evidence_snippet": "\ufffd\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\ufffd\ufffd;\u0168\u0776!IdW\t4\u03dam ^\ufffd\u2a93\ufffd|XnL\ufffdEE\u0162\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\u0654\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"attack_vector": "sip voip probe \u00b7 via SIP TLS:5061 \u00b7 (sonde \/ probe)",
"target_port_label": "5061 \u00b7 SIP TLS",
"emulator_service": "sip-tls",
"confidence_reason": "Confiance 67 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%",
"classification_reason_label_fr": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "sip-tls",
"service_label_fr": "SIP TLS",
"dst_port": 5061,
"protocol_emulated": true,
"tags_summary": [
"pat-0578",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0578",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-sip-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\u001f\ufffd\ufffd\f;\u0168\u0776!IdW\t4\u03dam ^\ufffd\u2a93\ufffd|\u0011XnL\ufffd\u0018EE\u0162\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\u0654\ufffd\u0000\ufffd\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd",
"port": 5061,
"service": "sip-tls",
"service_label_fr": "SIP TLS"
},
"attack_vector": "sip voip probe \u00b7 via SIP TLS:5061 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\ufffd\ufffd;\u0168\u0776!IdW\t4\u03dam ^\ufffd\u2a93\ufffd|XnL\ufffdEE\u0162\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\u0654\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"target_port_label": "5061 \u00b7 SIP TLS",
"emulator_service": "sip-tls",
"confidence_reason": "Confiance 67 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "sip_tls",
"service_banner": "honeypot-sip-tls",
"service_os": "linux",
"dst_port": "5061"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_sip_voip_probe",
"sip_tls_emulated",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5061 · SIP TLS
|
sip-tls
|
Sonde HTTP smuggling
http smuggling probe · via SIP TLS:5061 · (tentative d'exploit)
|
Élevée
|
Moyen · 52
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
Émulateur
SIP-TLS
WAF
—
Recommandation
Investiguer
Tags
net_sip_voip_probe
sip_tls_emulated
sip_voip_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5061
Chemin / cible
—
Service
SIP TLS
Payload
REGISTER sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.217:58024;branch=z9hG4bK-30138 Max-Forwards: 70 Call-ID: de08cc32
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 52
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
SIP protocol
User-Agent
—
Règles WAF
—
Payload (extrait)
REGISTER sip:62.3.50.33 SIP/2.0
Via: SIP/2.0/TCP 192.168.10.217:58024;branch=z9hG4bK-30138
Max-Forwards: 70
Call-ID: de08cc32
Requête brute (extrait)
REGISTER sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.217:58024;branch=z9hG4bK-30138 Max-Forwards: 70 Call-ID: de08cc32-91fc-4cd8-85bb-d4f39e44b5e6 Content-Length: 0 To: <sip:94597681696@62.3.50.33> From: <sip:94597681696@192.168.10.217>;tag=30
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d",
"emulator_response_len": 215,
"bytes_in": 344,
"payload_entropy": 5.401847537013169,
"port_category": "registered",
"org": "OVH SAS",
"service": "sip-tls",
"app_proto": "sip-tls",
"asn": 16276,
"country": "RU",
"dst_port": 5061,
"risk_waf": 8,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 52,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "5be3b60591346242b76f64d001171712d237d13a",
"event_fingerprint": "023bc9d1c35abdce99228ec210a0d9707a172294",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0384"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"SIP protocol"
],
"pattern_ids": [
"pat-0842",
"pat-0384"
],
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 52
},
"named_classification_skipped": false,
"service_name": "sip-tls",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3936247899cbf424715361fa000baae7",
"path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a"
},
"target_context": {
"dst_port": 5061,
"service": "sip-tls",
"service_name": "sip-tls",
"risk_score": 52
},
"payload_preview": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\r\nMax-Forwards: 70\r\nCall-ID: de08cc32",
"request_sample": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\r\nMax-Forwards: 70\r\nCall-ID: de08cc32-91fc-4cd8-85bb-d4f39e44b5e6\r\nContent-Length: 0\r\nTo: <sip:94597681696@62.3.50.33>\r\nFrom: <sip:94597681696@192.168.10.217>;tag=30",
"payload_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\r\nMax-Forwards: 70\r\nCall-ID: de08cc32",
"evidence": {
"request_sample": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\r\nMax-Forwards: 70\r\nCall-ID: de08cc32-91fc-4cd8-85bb-d4f39e44b5e6\r\nContent-Length: 0\r\nTo: <sip:94597681696@62.3.50.33>\r\nFrom: <sip:94597681696@192.168.10.217>;tag=30",
"payload_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\r\nMax-Forwards: 70\r\nCall-ID: de08cc32",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "af00c1125c5c1ccec3314a1bdcfd3ca05050bd18",
"protocol_details": {
"payload_preview": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\r\nMax-Forwards: 70\r\nCall-ID: de08cc32",
"port": 5061,
"service": "sip-tls",
"service_label_fr": "SIP TLS"
},
"evidence_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\r\nMax-Forwards: 70\r\nCall-ID: de08cc32",
"attack_vector": "http smuggling probe \u00b7 via SIP TLS:5061 \u00b7 (tentative d'exploit)",
"target_port_label": "5061 \u00b7 SIP TLS",
"emulator_service": "sip-tls",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via SIP TLS",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 52
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 52,
"risk_label": "Moyen",
"service_name": "sip-tls",
"service_label_fr": "SIP TLS",
"dst_port": 5061,
"protocol_emulated": true,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-sip-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\r\nMax-Forwards: 70\r\nCall-ID: de08cc32",
"port": 5061,
"service": "sip-tls",
"service_label_fr": "SIP TLS"
},
"attack_vector": "http smuggling probe \u00b7 via SIP TLS:5061 \u00b7 (tentative d'exploit)",
"evidence_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\r\nMax-Forwards: 70\r\nCall-ID: de08cc32",
"target_port_label": "5061 \u00b7 SIP TLS",
"emulator_service": "sip-tls",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "sip_tls",
"service_banner": "honeypot-sip-tls",
"service_os": "linux",
"dst_port": "5061"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_sip_voip_probe",
"sip_tls_emulated",
"sip_voip_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5061 · SIP TLS
|
sip-tls
|
Sonde HTTP smuggling
http smuggling probe · via SIP TLS:5061 · (tentative d'exploit)
|
Élevée
|
Moyen · 52
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
Émulateur
SIP-TLS
WAF
—
Recommandation
Investiguer
Tags
net_sip_voip_probe
sip_tls_emulated
sip_voip_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5061
Chemin / cible
—
Service
SIP TLS
Payload
OPTIONS sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.28:57920;branch=z9hG4bK-54047 Max-Forwards: 70 Call-ID: e8780bc7-3
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 52
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
SIP protocol
HTTP OPTIONS method
SIP OPTIONS
User-Agent
—
Règles WAF
—
Payload (extrait)
OPTIONS sip:62.3.50.33 SIP/2.0
Via: SIP/2.0/TCP 192.168.10.28:57920;branch=z9hG4bK-54047
Max-Forwards: 70
Call-ID: e8780bc7-3
Requête brute (extrait)
OPTIONS sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.28:57920;branch=z9hG4bK-54047 Max-Forwards: 70 Call-ID: e8780bc7-3360-412c-af5b-6331e6eab8eb Content-Length: 0 To: <sip:62.3.50.33> From: <sip:09512332117@192.168.10.28>;tag=30395 CSeq: 1 OP
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d",
"emulator_response_len": 215,
"bytes_in": 338,
"payload_entropy": 5.386744141944372,
"port_category": "registered",
"org": "OVH SAS",
"service": "sip-tls",
"app_proto": "sip-tls",
"asn": 16276,
"country": "RU",
"dst_port": 5061,
"risk_waf": 8,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 52,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "5be3b60591346242b76f64d001171712d237d13a",
"event_fingerprint": "023bc9d1c35abdce99228ec210a0d9707a172294",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0384",
"pat-0420",
"pat-0535"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"SIP protocol",
"HTTP OPTIONS method",
"SIP OPTIONS"
],
"pattern_ids": [
"pat-0842",
"pat-0384",
"pat-0420",
"pat-0535"
],
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 52,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "sip-tls",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f0c8b2ad22b8d1c1cd7096c9717e7536",
"path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a"
},
"target_context": {
"dst_port": 5061,
"service": "sip-tls",
"service_name": "sip-tls",
"risk_score": 52
},
"payload_preview": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\r\nMax-Forwards: 70\r\nCall-ID: e8780bc7-3",
"request_sample": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\r\nMax-Forwards: 70\r\nCall-ID: e8780bc7-3360-412c-af5b-6331e6eab8eb\r\nContent-Length: 0\r\nTo: <sip:62.3.50.33>\r\nFrom: <sip:09512332117@192.168.10.28>;tag=30395\r\nCSeq: 1 OP",
"payload_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\r\nMax-Forwards: 70\r\nCall-ID: e8780bc7-3",
"evidence": {
"request_sample": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\r\nMax-Forwards: 70\r\nCall-ID: e8780bc7-3360-412c-af5b-6331e6eab8eb\r\nContent-Length: 0\r\nTo: <sip:62.3.50.33>\r\nFrom: <sip:09512332117@192.168.10.28>;tag=30395\r\nCSeq: 1 OP",
"payload_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\r\nMax-Forwards: 70\r\nCall-ID: e8780bc7-3",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "763cf44dae6f4433a6aec8ba91dea578459db338",
"protocol_details": {
"payload_preview": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\r\nMax-Forwards: 70\r\nCall-ID: e8780bc7-3",
"port": 5061,
"service": "sip-tls",
"service_label_fr": "SIP TLS"
},
"evidence_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\r\nMax-Forwards: 70\r\nCall-ID: e8780bc7-3",
"attack_vector": "http smuggling probe \u00b7 via SIP TLS:5061 \u00b7 (tentative d'exploit)",
"target_port_label": "5061 \u00b7 SIP TLS",
"emulator_service": "sip-tls",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via SIP TLS \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 52,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 52,
"risk_label": "Moyen",
"service_name": "sip-tls",
"service_label_fr": "SIP TLS",
"dst_port": 5061,
"protocol_emulated": true,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-sip-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\r\nMax-Forwards: 70\r\nCall-ID: e8780bc7-3",
"port": 5061,
"service": "sip-tls",
"service_label_fr": "SIP TLS"
},
"attack_vector": "http smuggling probe \u00b7 via SIP TLS:5061 \u00b7 (tentative d'exploit)",
"evidence_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\r\nMax-Forwards: 70\r\nCall-ID: e8780bc7-3",
"target_port_label": "5061 \u00b7 SIP TLS",
"emulator_service": "sip-tls",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "sip_tls",
"service_banner": "honeypot-sip-tls",
"service_os": "linux",
"dst_port": "5061"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"sip",
"sip-tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_sip_voip_probe",
"sip_tls_emulated",
"sip_voip_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
5060 · SIP
|
sip
|
Sonde SIP/VoIP
sip voip probe · via SIP:5060 · (sonde / probe)
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SIP
WAF
—
Recommandation
Surveiller
Tags
net_sip_voip_probe
sip_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5060
Chemin / cible
—
Pourquoi cette classification : Type « sip_voip_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 34
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d",
"emulator_response_len": 215,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "OVH SAS",
"service": "sip",
"app_proto": "sip",
"asn": 16276,
"country": "RU",
"dst_port": 5060,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 34,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "7ede27279abdf995b4c23aeb42aaef771106fc4d",
"event_fingerprint": "3fcb8baeea4f587fed31373e40a068a2b2c72324",
"classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 34
},
"named_classification_skipped": false,
"service_name": "sip",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "12e58fcb9ae07c2755694e8888ea070c"
},
"target_context": {
"dst_port": 5060,
"service": "sip",
"service_name": "sip",
"risk_score": 34
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d84b353c2e3026305f118e4eda26f551d550f6a6",
"protocol_details": {
"port": 5060,
"service": "sip",
"service_label_fr": "SIP"
},
"attack_vector": "sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)",
"target_port_label": "5060 \u00b7 SIP",
"emulator_service": "sip",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 34
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "sip",
"service_label_fr": "SIP",
"dst_port": 5060,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-sip",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 5060,
"service": "sip",
"service_label_fr": "SIP"
},
"attack_vector": "sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "5060 \u00b7 SIP",
"emulator_service": "sip",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "sip",
"service_banner": "honeypot-sip",
"service_os": "linux",
"dst_port": "5060"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_sip_voip_probe",
"sip_emulated"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5060 · SIP
|
sip
|
Sonde SIP/VoIP
sip voip probe · via SIP:5060 · (sonde / probe)
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SIP
WAF
—
Recommandation
Surveiller
Tags
net_sip_voip_probe
sip_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5060
Chemin / cible
—
Pourquoi cette classification : Type « sip_voip_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 34
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d",
"emulator_response_len": 215,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "OVH SAS",
"service": "sip",
"app_proto": "sip",
"asn": 16276,
"country": "RU",
"dst_port": 5060,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 34,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "7ede27279abdf995b4c23aeb42aaef771106fc4d",
"event_fingerprint": "3fcb8baeea4f587fed31373e40a068a2b2c72324",
"classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 34
},
"named_classification_skipped": false,
"service_name": "sip",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "12e58fcb9ae07c2755694e8888ea070c"
},
"target_context": {
"dst_port": 5060,
"service": "sip",
"service_name": "sip",
"risk_score": 34
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d84b353c2e3026305f118e4eda26f551d550f6a6",
"protocol_details": {
"port": 5060,
"service": "sip",
"service_label_fr": "SIP"
},
"attack_vector": "sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)",
"target_port_label": "5060 \u00b7 SIP",
"emulator_service": "sip",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 34
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "sip",
"service_label_fr": "SIP",
"dst_port": 5060,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-sip",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 5060,
"service": "sip",
"service_label_fr": "SIP"
},
"attack_vector": "sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "5060 \u00b7 SIP",
"emulator_service": "sip",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "sip",
"service_banner": "honeypot-sip",
"service_os": "linux",
"dst_port": "5060"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_sip_voip_probe",
"sip_emulated"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5060 · SIP
|
sip
|
Sonde HTTP smuggling
http smuggling probe · via SIP:5060 · (tentative d'exploit)
|
Élevée
|
Moyen · 52
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
Émulateur
SIP
WAF
—
Recommandation
Investiguer
Tags
net_sip_voip_probe
sip_emulated
sip_payload
sip_voip_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5060
Chemin / cible
—
Service
SIP
Payload
REGISTER sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.18:53706;branch=z9hG4bK-52247 Max-Forwards: 70 Call-ID: 4311e178-
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 52
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
SIP protocol
User-Agent
—
Règles WAF
—
Payload (extrait)
REGISTER sip:62.3.50.33 SIP/2.0
Via: SIP/2.0/TCP 192.168.10.18:53706;branch=z9hG4bK-52247
Max-Forwards: 70
Call-ID: 4311e178-
Requête brute (extrait)
REGISTER sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.18:53706;branch=z9hG4bK-52247 Max-Forwards: 70 Call-ID: 4311e178-9b83-4e01-ad84-37d9ac5e70d9 Content-Length: 0 To: <sip:38300356813@62.3.50.33> From: <sip:38300356813@192.168.10.18>;tag=4460
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d",
"emulator_response_len": 215,
"bytes_in": 342,
"payload_entropy": 5.317552819273413,
"port_category": "registered",
"org": "OVH SAS",
"service": "sip",
"app_proto": "sip",
"asn": 16276,
"country": "RU",
"dst_port": 5060,
"risk_waf": 8,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 52,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "9d47a028d45c994ea562e4af4fb360bfaa9c2d49",
"event_fingerprint": "3fcb8baeea4f587fed31373e40a068a2b2c72324",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0384"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"SIP protocol"
],
"pattern_ids": [
"pat-0842",
"pat-0384"
],
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 52
},
"named_classification_skipped": false,
"service_name": "sip",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9770ffabe3cebe502299c71f6b61eebb",
"path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a"
},
"target_context": {
"dst_port": 5060,
"service": "sip",
"service_name": "sip",
"risk_score": 52
},
"payload_preview": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\r\nMax-Forwards: 70\r\nCall-ID: 4311e178-",
"request_sample": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\r\nMax-Forwards: 70\r\nCall-ID: 4311e178-9b83-4e01-ad84-37d9ac5e70d9\r\nContent-Length: 0\r\nTo: <sip:38300356813@62.3.50.33>\r\nFrom: <sip:38300356813@192.168.10.18>;tag=4460",
"payload_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\r\nMax-Forwards: 70\r\nCall-ID: 4311e178-",
"evidence": {
"request_sample": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\r\nMax-Forwards: 70\r\nCall-ID: 4311e178-9b83-4e01-ad84-37d9ac5e70d9\r\nContent-Length: 0\r\nTo: <sip:38300356813@62.3.50.33>\r\nFrom: <sip:38300356813@192.168.10.18>;tag=4460",
"payload_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\r\nMax-Forwards: 70\r\nCall-ID: 4311e178-",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8ac1e4997c1cc2ae84a3ef5430db9ab9cf51c9ae",
"protocol_details": {
"payload_preview": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\r\nMax-Forwards: 70\r\nCall-ID: 4311e178-",
"port": 5060,
"service": "sip",
"service_label_fr": "SIP"
},
"evidence_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\r\nMax-Forwards: 70\r\nCall-ID: 4311e178-",
"attack_vector": "http smuggling probe \u00b7 via SIP:5060 \u00b7 (tentative d'exploit)",
"target_port_label": "5060 \u00b7 SIP",
"emulator_service": "sip",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via SIP",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 52
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 52,
"risk_label": "Moyen",
"service_name": "sip",
"service_label_fr": "SIP",
"dst_port": 5060,
"protocol_emulated": true,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-sip",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\r\nMax-Forwards: 70\r\nCall-ID: 4311e178-",
"port": 5060,
"service": "sip",
"service_label_fr": "SIP"
},
"attack_vector": "http smuggling probe \u00b7 via SIP:5060 \u00b7 (tentative d'exploit)",
"evidence_snippet": "REGISTER sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\r\nMax-Forwards: 70\r\nCall-ID: 4311e178-",
"target_port_label": "5060 \u00b7 SIP",
"emulator_service": "sip",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "sip",
"service_banner": "honeypot-sip",
"service_os": "linux",
"dst_port": "5060"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_sip_voip_probe",
"sip_emulated",
"sip_payload",
"sip_voip_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5060 · SIP
|
sip
|
Sonde HTTP smuggling
http smuggling probe · via SIP:5060 · (tentative d'exploit)
|
Élevée
|
Moyen · 52
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
Émulateur
SIP
WAF
—
Recommandation
Investiguer
Tags
net_sip_voip_probe
sip_emulated
sip_payload
sip_voip_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5060
Chemin / cible
—
Service
SIP
Payload
OPTIONS sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.142:53366;branch=z9hG4bK-25609 Max-Forwards: 70 Call-ID: 5532ddd2-
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 52
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
SIP protocol
HTTP OPTIONS method
SIP OPTIONS
User-Agent
—
Règles WAF
—
Payload (extrait)
OPTIONS sip:62.3.50.33 SIP/2.0
Via: SIP/2.0/TCP 192.168.10.142:53366;branch=z9hG4bK-25609
Max-Forwards: 70
Call-ID: 5532ddd2-
Requête brute (extrait)
OPTIONS sip:62.3.50.33 SIP/2.0 Via: SIP/2.0/TCP 192.168.10.142:53366;branch=z9hG4bK-25609 Max-Forwards: 70 Call-ID: 5532ddd2-24d1-462b-839b-d234934e475d Content-Length: 0 To: <sip:62.3.50.33> From: <sip:46373851983@192.168.10.142>;tag=32649 CSeq: 1
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d",
"emulator_response_len": 215,
"bytes_in": 341,
"payload_entropy": 5.371408391016639,
"port_category": "registered",
"org": "OVH SAS",
"service": "sip",
"app_proto": "sip",
"asn": 16276,
"country": "RU",
"dst_port": 5060,
"risk_waf": 8,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 52,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "9d47a028d45c994ea562e4af4fb360bfaa9c2d49",
"event_fingerprint": "3fcb8baeea4f587fed31373e40a068a2b2c72324",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0384",
"pat-0420",
"pat-0535"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"SIP protocol",
"HTTP OPTIONS method",
"SIP OPTIONS"
],
"pattern_ids": [
"pat-0842",
"pat-0384",
"pat-0420",
"pat-0535"
],
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 52
},
"named_classification_skipped": false,
"service_name": "sip",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "RU",
"asn": 16276,
"org": "OVH SAS",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "25c711ea46cee4950d53395bf27203f8",
"path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a"
},
"target_context": {
"dst_port": 5060,
"service": "sip",
"service_name": "sip",
"risk_score": 52
},
"payload_preview": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\r\nMax-Forwards: 70\r\nCall-ID: 5532ddd2-",
"request_sample": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\r\nMax-Forwards: 70\r\nCall-ID: 5532ddd2-24d1-462b-839b-d234934e475d\r\nContent-Length: 0\r\nTo: <sip:62.3.50.33>\r\nFrom: <sip:46373851983@192.168.10.142>;tag=32649\r\nCSeq: 1 ",
"payload_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\r\nMax-Forwards: 70\r\nCall-ID: 5532ddd2-",
"evidence": {
"request_sample": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\r\nMax-Forwards: 70\r\nCall-ID: 5532ddd2-24d1-462b-839b-d234934e475d\r\nContent-Length: 0\r\nTo: <sip:62.3.50.33>\r\nFrom: <sip:46373851983@192.168.10.142>;tag=32649\r\nCSeq: 1 ",
"payload_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\r\nMax-Forwards: 70\r\nCall-ID: 5532ddd2-",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7b55925860326f375ae0781e1927589a903fc29b",
"protocol_details": {
"payload_preview": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\r\nMax-Forwards: 70\r\nCall-ID: 5532ddd2-",
"port": 5060,
"service": "sip",
"service_label_fr": "SIP"
},
"evidence_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\r\nMax-Forwards: 70\r\nCall-ID: 5532ddd2-",
"attack_vector": "http smuggling probe \u00b7 via SIP:5060 \u00b7 (tentative d'exploit)",
"target_port_label": "5060 \u00b7 SIP",
"emulator_service": "sip",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via SIP",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 52
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 52,
"risk_label": "Moyen",
"service_name": "sip",
"service_label_fr": "SIP",
"dst_port": 5060,
"protocol_emulated": true,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-sip",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\r\nMax-Forwards: 70\r\nCall-ID: 5532ddd2-",
"port": 5060,
"service": "sip",
"service_label_fr": "SIP"
},
"attack_vector": "http smuggling probe \u00b7 via SIP:5060 \u00b7 (tentative d'exploit)",
"evidence_snippet": "OPTIONS sip:62.3.50.33 SIP\/2.0\r\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\r\nMax-Forwards: 70\r\nCall-ID: 5532ddd2-",
"target_port_label": "5060 \u00b7 SIP",
"emulator_service": "sip",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "sip",
"service_banner": "honeypot-sip",
"service_os": "linux",
"dst_port": "5060"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_sip_voip_probe",
"sip_emulated",
"sip_payload",
"sip_voip_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|