{"ip":"82.102.31.6","exported_at":"2026-06-20T11:52:44+00:00","period_days":7,"metrics":{"events7d":63,"distinct_ports":1,"distinct_classifications":1,"max_severity":3,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":45,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["unknown"],"recommended_action":"monitor","confidence":0.5,"risk_breakdown":{"waf":8,"classification":24,"behavior":0,"geo":0,"protocol":30,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":63,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 35\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":24,"behavior":0,"geo":0,"protocol":30,"novelty":15,"risk_score":35},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":50,"confidence_hint_fr":"Confiance mod\u00e9r\u00e9e \u2014 signal unique","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0554"],"tags_summary":["pat-0554"],"attack_vector":"irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u001cdR(\ufffd+0Q\u0007\ufffdv\ufffd\u0085l8\ufffd\/\ufffdk\u000f\ufffdGA1\ufffdu\ufffd5 \ufffdY\ufffd\u0018n\ufffd\u0016\ufffdi\ufffd\u0017\ufffdb\ufffd\ufffd\ufffdvR\ufffd\ufffd\u0018+\ufffd\ufffd`2\ufffd1y\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\u0012\ufffd\u0013\ufffd\u0007\ufffd\u0027\ufffd\u0014\ufffd\/\u0013\u0001\ufffd\u0014\u0013\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0013\u0005","port":6666,"service":"irc-alt","service_label_fr":"IRC ALT"},"protocol_summary_fr":"Payload \u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u001cdR(\ufffd+0Q\u0007\ufffdv\ufffd\u0085l8\ufffd\/\ufffdk\u000f\ufffdGA1\ufffdu\ufffd5 \ufffdY\ufffd\u0018n\ufffd\u0016\ufffdi\ufffd\u0017\ufffdb\ufffd\ufffd\ufffdvR\ufffd\ufffd\u0018\u2026 \u00b7 IRC ALT:6666","evidence_snippet":"\ufffd\ufffd\ufffd\ufffddR(\ufffd+0Q\ufffdv\ufffd\u0085l8\ufffd\/\ufffdk\ufffdGA1\ufffdu\ufffd5 \ufffdY\ufffdn\ufffd\ufffdi\ufffd\ufffdb\ufffd\ufffd\ufffdvR\ufffd\ufffd+\ufffd\ufffd`2\ufffd1y\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$","target_port_label":"6666 \u00b7 IRC ALT","emulator_service":"irc-alt","confidence_reason":"Confiance 50 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%","classification_reason_label_fr":"Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%","confidence_factors_fr":"Confiance 50 % \u2014 Score WAF 8","payload_preview":"\ufffd\ufffd\ufffd\ufffddR(\ufffd+0Q\ufffdv\ufffd\u0085l8\ufffd\/\ufffdk\ufffdGA1\ufffdu\ufffd5 \ufffdY\ufffdn\ufffd\ufffdi\ufffd\ufffdb\ufffd\ufffd\ufffdvR\ufffd\ufffd+\ufffd\ufffd`2\ufffd1y\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$"},"events":[{"id":9689169,"ip":"82.102.31.6","ts":"2026-06-20 00:46:29.000000","proto":"tcp","src_port":59452,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 439, \u0022payload_entropy\u0022: 5.953520722656425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022be03909c7ccc6fd4bfe82a86e14b3238\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u001cdR(\ufffd+0Q\\u0007\ufffdv\ufffd\u0085l8\ufffd\/\ufffdk\\u000f\ufffdGA1\ufffdu\ufffd5 \ufffdY\ufffd\\u0018n\ufffd\\u0016\ufffdi\ufffd\\u0017\ufffdb\ufffd\ufffd\ufffdvR\ufffd\ufffd\\u0018+\ufffd\ufffd`2\ufffd1y\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u001cdR(\ufffd+0Q\\u0007\ufffdv\ufffd\u0085l8\ufffd\/\ufffdk\\u000f\ufffdGA1\ufffdu\ufffd5 \ufffdY\ufffd\\u0018n\ufffd\\u0016\ufffdi\ufffd\\u0017\ufffdb\ufffd\ufffd\ufffdvR\ufffd\ufffd\\u0018+\ufffd\ufffd`2\ufffd1y\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\ufffd\\n\\u0013\\u0004\ufffd+\\u0013\\u0003\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\\u0011\ufffd#\\u0000\\n\ufffd\\t\\u0000\/\ufffd\\b\\u0000\u003C\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000E\\u0000=\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000k\\u0000A\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\\u0007\\u0000g\\u0000\\u0004\\u00003\\u0000\\u0005\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u001a\\u001a\\u0000\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u001cdR(\ufffd+0Q\\u0007\ufffdv\ufffd\u0085l8\ufffd\/\ufffdk\\u000f\ufffdGA1\ufffdu\ufffd5 \ufffdY\ufffd\\u0018n\ufffd\\u0016\ufffdi\ufffd\\u0017\ufffdb\ufffd\ufffd\ufffdvR\ufffd\ufffd\\u0018+\ufffd\ufffd`2\ufffd1y\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e715865be44a3764ebf833c27dc140826d101f8f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u001cdR(\ufffd+0Q\\u0007\ufffdv\ufffd\u0085l8\ufffd\/\ufffdk\\u000f\ufffdGA1\ufffdu\ufffd5 \ufffdY\ufffd\\u0018n\ufffd\\u0016\ufffdi\ufffd\\u0017\ufffdb\ufffd\ufffd\ufffdvR\ufffd\ufffd\\u0018+\ufffd\ufffd`2\ufffd1y\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffddR(\ufffd+0Q\ufffdv\ufffd\u0085l8\ufffd\/\ufffdk\ufffdGA1\ufffdu\ufffd5 \ufffdY\ufffdn\ufffd\ufffdi\ufffd\ufffdb\ufffd\ufffd\ufffdvR\ufffd\ufffd+\ufffd\ufffd`2\ufffd1y\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u001cdR(\ufffd+0Q\\u0007\ufffdv\ufffd\u0085l8\ufffd\/\ufffdk\\u000f\ufffdGA1\ufffdu\ufffd5 \ufffdY\ufffd\\u0018n\ufffd\\u0016\ufffdi\ufffd\\u0017\ufffdb\ufffd\ufffd\ufffdvR\ufffd\ufffd\\u0018+\ufffd\ufffd`2\ufffd1y\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffddR(\ufffd+0Q\ufffdv\ufffd\u0085l8\ufffd\/\ufffdk\ufffdGA1\ufffdu\ufffd5 \ufffdY\ufffdn\ufffd\ufffdi\ufffd\ufffdb\ufffd\ufffd\ufffdvR\ufffd\ufffd+\ufffd\ufffd`2\ufffd1y\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":439},{"id":9689168,"ip":"82.102.31.6","ts":"2026-06-20 00:46:28.000000","proto":"tcp","src_port":59440,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 416, \u0022payload_entropy\u0022: 6.018949855402493, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022de826c6c5f727f22e23d0497d46e590b\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003p\ufffd\ufffd\\u0016\u00b0\ufffdC~:\\u001a\ufffdW\\u0010@R\ufffd\ufffd\ufffd\ufffd\\u001f\ufffd|p\ufffd\ufffd\ufffd6\\u001a\ufffd\ufffd\ufffd \ufffd\ufffd\\u0004\ufffd\\u001fS\u003C\u003C\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffdR)\ufffdo\\u0005\ufffd\\r\ufffd\u0603\ufffd\ufffdx\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003p\ufffd\ufffd\\u0016\u00b0\ufffdC~:\\u001a\ufffdW\\u0010@R\ufffd\ufffd\ufffd\ufffd\\u001f\ufffd|p\ufffd\ufffd\ufffd6\\u001a\ufffd\ufffd\ufffd \ufffd\ufffd\\u0004\ufffd\\u001fS\u003C\u003C\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffdR)\ufffdo\\u0005\ufffd\\r\ufffd\u0603\ufffd\ufffdx\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003p\ufffd\ufffd\\u0016\u00b0\ufffdC~:\\u001a\ufffdW\\u0010@R\ufffd\ufffd\ufffd\ufffd\\u001f\ufffd|p\ufffd\ufffd\ufffd6\\u001a\ufffd\ufffd\ufffd \ufffd\ufffd\\u0004\ufffd\\u001fS\u003C\u003C\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffdR)\ufffdo\\u0005\ufffd\\r\ufffd\u0603\ufffd\ufffdx\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022995a426635941ef29dbd1b9db9ec7c7672a88de1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003p\ufffd\ufffd\\u0016\u00b0\ufffdC~:\\u001a\ufffdW\\u0010@R\ufffd\ufffd\ufffd\ufffd\\u001f\ufffd|p\ufffd\ufffd\ufffd6\\u001a\ufffd\ufffd\ufffd \ufffd\ufffd\\u0004\ufffd\\u001fS\u003C\u003C\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffdR)\ufffdo\\u0005\ufffd\\r\ufffd\u0603\ufffd\ufffdx\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdp\ufffd\ufffd\u00b0\ufffdC~:\ufffdW@R\ufffd\ufffd\ufffd\ufffd\ufffd|p\ufffd\ufffd\ufffd6\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdS\u003C\u003C\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffdR)\ufffdo\ufffd\\r\ufffd\u0603\ufffd\ufffdx\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003p\ufffd\ufffd\\u0016\u00b0\ufffdC~:\\u001a\ufffdW\\u0010@R\ufffd\ufffd\ufffd\ufffd\\u001f\ufffd|p\ufffd\ufffd\ufffd6\\u001a\ufffd\ufffd\ufffd \ufffd\ufffd\\u0004\ufffd\\u001fS\u003C\u003C\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffdR)\ufffdo\\u0005\ufffd\\r\ufffd\u0603\ufffd\ufffdx\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdp\ufffd\ufffd\u00b0\ufffdC~:\ufffdW@R\ufffd\ufffd\ufffd\ufffd\ufffd|p\ufffd\ufffd\ufffd6\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdS\u003C\u003C\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffdR)\ufffdo\ufffd\\r\ufffd\u0603\ufffd\ufffdx\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":416},{"id":9689167,"ip":"82.102.31.6","ts":"2026-06-20 00:46:27.000000","proto":"tcp","src_port":59430,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 426, \u0022payload_entropy\u0022: 6.006183663424774, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002283026cbe03aefba66bd7c680159c3600\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003H\ufffd\\u000f\u05ba?-A\ufffdED\ufffdl\ufffd\u05030\ufffd..\ufffd\ufffd\\u001e\ufffdgw\ufffd2\u0026\\u0013\\u001a\ufffd \\u0004\\u001b\\u000b\ufffd\ufffdk\ufffd\ufffd~^\ufffdz\ufffd\ufffd\ufffds\ufffd\\u0018,\ufffdJ\ufffd\ufffd\ufffdBM\ufffdvf\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003H\ufffd\\u000f\u05ba?-A\ufffdED\ufffdl\ufffd\u05030\ufffd..\ufffd\ufffd\\u001e\ufffdgw\ufffd2\u0026\\u0013\\u001a\ufffd \\u0004\\u001b\\u000b\ufffd\ufffdk\ufffd\ufffd~^\ufffdz\ufffd\ufffd\ufffds\ufffd\\u0018,\ufffdJ\ufffd\ufffd\ufffdBM\ufffdvf\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\ufffdv\ufffda\ufffd`\ufffd0\ufffd(\ufffd\\u0014\ufffd\/\ufffd\u0027\ufffd\\u0013\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003H\ufffd\\u000f\u05ba?-A\ufffdED\ufffdl\ufffd\u05030\ufffd..\ufffd\ufffd\\u001e\ufffdgw\ufffd2\u0026\\u0013\\u001a\ufffd \\u0004\\u001b\\u000b\ufffd\ufffdk\ufffd\ufffd~^\ufffdz\ufffd\ufffd\ufffds\ufffd\\u0018,\ufffdJ\ufffd\ufffd\ufffdBM\ufffdvf\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f93d3e2c38e6b752cd85a276680c2176e27533c5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003H\ufffd\\u000f\u05ba?-A\ufffdED\ufffdl\ufffd\u05030\ufffd..\ufffd\ufffd\\u001e\ufffdgw\ufffd2\u0026\\u0013\\u001a\ufffd \\u0004\\u001b\\u000b\ufffd\ufffdk\ufffd\ufffd~^\ufffdz\ufffd\ufffd\ufffds\ufffd\\u0018,\ufffdJ\ufffd\ufffd\ufffdBM\ufffdvf\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdH\ufffd\u05ba?-A\ufffdED\ufffdl\ufffd\u05030\ufffd..\ufffd\ufffd\ufffdgw\ufffd2\u0026\ufffd \ufffd\ufffdk\ufffd\ufffd~^\ufffdz\ufffd\ufffd\ufffds\ufffd,\ufffdJ\ufffd\ufffd\ufffdBM\ufffdvf\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003H\ufffd\\u000f\u05ba?-A\ufffdED\ufffdl\ufffd\u05030\ufffd..\ufffd\ufffd\\u001e\ufffdgw\ufffd2\u0026\\u0013\\u001a\ufffd \\u0004\\u001b\\u000b\ufffd\ufffdk\ufffd\ufffd~^\ufffdz\ufffd\ufffd\ufffds\ufffd\\u0018,\ufffdJ\ufffd\ufffd\ufffdBM\ufffdvf\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdH\ufffd\u05ba?-A\ufffdED\ufffdl\ufffd\u05030\ufffd..\ufffd\ufffd\ufffdgw\ufffd2\u0026\ufffd \ufffd\ufffdk\ufffd\ufffd~^\ufffdz\ufffd\ufffd\ufffds\ufffd,\ufffdJ\ufffd\ufffd\ufffdBM\ufffdvf\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":426},{"id":9689165,"ip":"82.102.31.6","ts":"2026-06-20 00:46:26.000000","proto":"tcp","src_port":59398,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 413, \u0022payload_entropy\u0022: 6.047616161479542, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226bff96f60cf15b54f7fc15e24814d1eb\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\ufffd\ufffd\\u0018\ufffd\ufffdB\ufffd\\u001b}\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\\u0011\ufffd\ufffd8l\ufffd\ufffd\ufffdU\ufffd\ufffdS\ufffd\/\ufffd\ufffd \u0099\ufffd\ufffd\ufffd\ufffd\\u0019*Xt\ufffd\ufffd\ufffd\ufffdl\ufffd\ufffd\\u0014\ufffd\\u0006\ufffd\ufffd\\u001a\\u0013M\\\u0022@V\ufffdtu\\u000f\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\ufffd\ufffd\\u0018\ufffd\ufffdB\ufffd\\u001b}\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\\u0011\ufffd\ufffd8l\ufffd\ufffd\ufffdU\ufffd\ufffdS\ufffd\/\ufffd\ufffd \u0099\ufffd\ufffd\ufffd\ufffd\\u0019*Xt\ufffd\ufffd\ufffd\ufffdl\ufffd\ufffd\\u0014\ufffd\\u0006\ufffd\ufffd\\u001a\\u0013M\\\u0022@V\ufffdtu\\u000f\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\ufffd\ufffd\\u0018\ufffd\ufffdB\ufffd\\u001b}\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\\u0011\ufffd\ufffd8l\ufffd\ufffd\ufffdU\ufffd\ufffdS\ufffd\/\ufffd\ufffd \u0099\ufffd\ufffd\ufffd\ufffd\\u0019*Xt\ufffd\ufffd\ufffd\ufffdl\ufffd\ufffd\\u0014\ufffd\\u0006\ufffd\ufffd\\u001a\\u0013M\\\u0022@V\ufffdtu\\u000f\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002271127b94ec041c0325acd9dcc93a7b63bcc0f7f8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\ufffd\ufffd\\u0018\ufffd\ufffdB\ufffd\\u001b}\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\\u0011\ufffd\ufffd8l\ufffd\ufffd\ufffdU\ufffd\ufffdS\ufffd\/\ufffd\ufffd \u0099\ufffd\ufffd\ufffd\ufffd\\u0019*Xt\ufffd\ufffd\ufffd\ufffdl\ufffd\ufffd\\u0014\ufffd\\u0006\ufffd\ufffd\\u001a\\u0013M\\\u0022@V\ufffdtu\\u000f\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd}\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd8l\ufffd\ufffd\ufffdU\ufffd\ufffdS\ufffd\/\ufffd\ufffd \u0099\ufffd\ufffd\ufffd\ufffd*Xt\ufffd\ufffd\ufffd\ufffdl\ufffd\ufffd\ufffd\ufffd\ufffdM\\\u0022@V\ufffdtu\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\ufffd\ufffd\\u0018\ufffd\ufffdB\ufffd\\u001b}\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\\u0011\ufffd\ufffd8l\ufffd\ufffd\ufffdU\ufffd\ufffdS\ufffd\/\ufffd\ufffd \u0099\ufffd\ufffd\ufffd\ufffd\\u0019*Xt\ufffd\ufffd\ufffd\ufffdl\ufffd\ufffd\\u0014\ufffd\\u0006\ufffd\ufffd\\u001a\\u0013M\\\u0022@V\ufffdtu\\u000f\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd}\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd8l\ufffd\ufffd\ufffdU\ufffd\ufffdS\ufffd\/\ufffd\ufffd \u0099\ufffd\ufffd\ufffd\ufffd*Xt\ufffd\ufffd\ufffd\ufffdl\ufffd\ufffd\ufffd\ufffd\ufffdM\\\u0022@V\ufffdtu\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":413},{"id":9689166,"ip":"82.102.31.6","ts":"2026-06-20 00:46:26.000000","proto":"tcp","src_port":59414,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 426, \u0022payload_entropy\u0022: 5.9913800450978165, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002288cf637ffc61f44fd9f9a717cb473d5f\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd.@9\ufffdX\ufffdhe\ufffdm\ufffdA\\u0011\ufffd\\u001b\/\ufffdt{\ufffd\ufffd4\\u000b\ufffd\\r\\u0012y\ufffdQ \ufffd\ufffd0\ufffd^\\u0007\ufffd\\u001d\ufffd\ufffd\u003ED\ufffd*\ufffd0\ufffd\ufffd\ufffd\ufffd4+o\ufffd\\u0011\\u0016\ufffdK\ufffd]p_\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd.@9\ufffdX\ufffdhe\ufffdm\ufffdA\\u0011\ufffd\\u001b\/\ufffdt{\ufffd\ufffd4\\u000b\ufffd\\r\\u0012y\ufffdQ \ufffd\ufffd0\ufffd^\\u0007\ufffd\\u001d\ufffd\ufffd\u003ED\ufffd*\ufffd0\ufffd\ufffd\ufffd\ufffd4+o\ufffd\\u0011\\u0016\ufffdK\ufffd]p_\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd.@9\ufffdX\ufffdhe\ufffdm\ufffdA\\u0011\ufffd\\u001b\/\ufffdt{\ufffd\ufffd4\\u000b\ufffd\\r\\u0012y\ufffdQ \ufffd\ufffd0\ufffd^\\u0007\ufffd\\u001d\ufffd\ufffd\u003ED\ufffd*\ufffd0\ufffd\ufffd\ufffd\ufffd4+o\ufffd\\u0011\\u0016\ufffdK\ufffd]p_\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002241882ab218855202a31ee79a1e32d5378f6a7301\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd.@9\ufffdX\ufffdhe\ufffdm\ufffdA\\u0011\ufffd\\u001b\/\ufffdt{\ufffd\ufffd4\\u000b\ufffd\\r\\u0012y\ufffdQ \ufffd\ufffd0\ufffd^\\u0007\ufffd\\u001d\ufffd\ufffd\u003ED\ufffd*\ufffd0\ufffd\ufffd\ufffd\ufffd4+o\ufffd\\u0011\\u0016\ufffdK\ufffd]p_\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd.@9\ufffdX\ufffdhe\ufffdm\ufffdA\ufffd\/\ufffdt{\ufffd\ufffd4\ufffd\\ry\ufffdQ \ufffd\ufffd0\ufffd^\ufffd\ufffd\ufffd\u003ED\ufffd*\ufffd0\ufffd\ufffd\ufffd\ufffd4+o\ufffd\ufffdK\ufffd]p_\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd.@9\ufffdX\ufffdhe\ufffdm\ufffdA\\u0011\ufffd\\u001b\/\ufffdt{\ufffd\ufffd4\\u000b\ufffd\\r\\u0012y\ufffdQ \ufffd\ufffd0\ufffd^\\u0007\ufffd\\u001d\ufffd\ufffd\u003ED\ufffd*\ufffd0\ufffd\ufffd\ufffd\ufffd4+o\ufffd\\u0011\\u0016\ufffdK\ufffd]p_\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd.@9\ufffdX\ufffdhe\ufffdm\ufffdA\ufffd\/\ufffdt{\ufffd\ufffd4\ufffd\\ry\ufffdQ \ufffd\ufffd0\ufffd^\ufffd\ufffd\ufffd\u003ED\ufffd*\ufffd0\ufffd\ufffd\ufffd\ufffd4+o\ufffd\ufffdK\ufffd]p_\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":426},{"id":9689164,"ip":"82.102.31.6","ts":"2026-06-20 00:46:25.000000","proto":"tcp","src_port":59388,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 412, \u0022payload_entropy\u0022: 6.008299083604288, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022747f19cc87001772958d7d5f6934c010\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u00037\ufffd\ufffd.\ufffd\\u0006\u036e\ufffd\ufffd\ufffdN\ufffdV\ufffdj\ufffd\\u000b\ufffd\ufffd(\u003E\ufffdK\\u001b\ufffd#=\ufffd\ufffd ZV\ufffd\ufffd\\r.@ep:\ufffd\ufffd\ufffdy;t\u046fK\\u0019iPG\ufffd\\\\\ufffdB\\nE{W.\\u0000\ufffdJJ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u00037\ufffd\ufffd.\ufffd\\u0006\u036e\ufffd\ufffd\ufffdN\ufffdV\ufffdj\ufffd\\u000b\ufffd\ufffd(\u003E\ufffdK\\u001b\ufffd#=\ufffd\ufffd ZV\ufffd\ufffd\\r.@ep:\ufffd\ufffd\ufffdy;t\u046fK\\u0019iPG\ufffd\\\\\ufffdB\\nE{W.\\u0000\ufffdJJ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\ufffd\\n\\u0013\\u0004\ufffd+\\u0013\\u0003\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\\u0011\ufffd#\\u0000\\n\ufffd\\t\\u0000\/\ufffd\\b\\u0000\u003C\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000E\\u0000=\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000k\\u0000A\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\\u0007\\u0000g\\u0000\\u0004\\u00003\\u0000\\u0005\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u00037\ufffd\ufffd.\ufffd\\u0006\u036e\ufffd\ufffd\ufffdN\ufffdV\ufffdj\ufffd\\u000b\ufffd\ufffd(\u003E\ufffdK\\u001b\ufffd#=\ufffd\ufffd ZV\ufffd\ufffd\\r.@ep:\ufffd\ufffd\ufffdy;t\u046fK\\u0019iPG\ufffd\\\\\ufffdB\\nE{W.\\u0000\ufffdJJ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u00037\ufffd\ufffd.\ufffd\\u0006\u036e\ufffd\ufffd\ufffdN\ufffdV\ufffdj\ufffd\\u000b\ufffd\ufffd(\u003E\ufffdK\\u001b\ufffd#=\ufffd\ufffd ZV\ufffd\ufffd\\r.@ep:\ufffd\ufffd\ufffdy;t\u046fK\\u0019iPG\ufffd\\\\\ufffdB\\nE{W.\\u0000\ufffdJJ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\ufffd\\n\\u0013\\u0004\ufffd+\\u0013\\u0003\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\\u0011\ufffd#\\u0000\\n\ufffd\\t\\u0000\/\ufffd\\b\\u0000\u003C\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000E\\u0000=\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000k\\u0000A\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\\u0007\\u0000g\\u0000\\u0004\\u00003\\u0000\\u0005\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u00037\ufffd\ufffd.\ufffd\\u0006\u036e\ufffd\ufffd\ufffdN\ufffdV\ufffdj\ufffd\\u000b\ufffd\ufffd(\u003E\ufffdK\\u001b\ufffd#=\ufffd\ufffd ZV\ufffd\ufffd\\r.@ep:\ufffd\ufffd\ufffdy;t\u046fK\\u0019iPG\ufffd\\\\\ufffdB\\nE{W.\\u0000\ufffdJJ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224613e8db765346cbf7aea989f98c4835702cce2d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u00037\ufffd\ufffd.\ufffd\\u0006\u036e\ufffd\ufffd\ufffdN\ufffdV\ufffdj\ufffd\\u000b\ufffd\ufffd(\u003E\ufffdK\\u001b\ufffd#=\ufffd\ufffd ZV\ufffd\ufffd\\r.@ep:\ufffd\ufffd\ufffdy;t\u046fK\\u0019iPG\ufffd\\\\\ufffdB\\nE{W.\\u0000\ufffdJJ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd7\ufffd\ufffd.\ufffd\u036e\ufffd\ufffd\ufffdN\ufffdV\ufffdj\ufffd\ufffd\ufffd(\u003E\ufffdK\ufffd#=\ufffd\ufffd ZV\ufffd\ufffd\\r.@ep:\ufffd\ufffd\ufffdy;t\u046fKiPG\ufffd\\\\\ufffdB\\nE{W.\ufffdJJ\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u00037\ufffd\ufffd.\ufffd\\u0006\u036e\ufffd\ufffd\ufffdN\ufffdV\ufffdj\ufffd\\u000b\ufffd\ufffd(\u003E\ufffdK\\u001b\ufffd#=\ufffd\ufffd ZV\ufffd\ufffd\\r.@ep:\ufffd\ufffd\ufffdy;t\u046fK\\u0019iPG\ufffd\\\\\ufffdB\\nE{W.\\u0000\ufffdJJ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd7\ufffd\ufffd.\ufffd\u036e\ufffd\ufffd\ufffdN\ufffdV\ufffdj\ufffd\ufffd\ufffd(\u003E\ufffdK\ufffd#=\ufffd\ufffd ZV\ufffd\ufffd\\r.@ep:\ufffd\ufffd\ufffdy;t\u046fKiPG\ufffd\\\\\ufffdB\\nE{W.\ufffdJJ\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":412},{"id":9689163,"ip":"82.102.31.6","ts":"2026-06-20 00:46:24.000000","proto":"tcp","src_port":59384,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 331, \u0022payload_entropy\u0022: 6.043082024538801, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221690a4da8223219767c317bb3c04d42e\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\\b\ufffd^\ufffd\\u0000?\ufffd\u852f\ufffd\ufffd\u054d\ufffd8\ufffdy\ufffd7\ufffd+\ufffd\u0026\ufffd\ufffd\ufffd*\\u0004{\\u0014 y\\u001d\ufffd)c\ufffdH\ufffd\ufffdf\ufffdnS8\ufffd\ufffd!i\ufffdS\ufffdJE+\\u000ej\ufffd\ufffdBdf\ufffd\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\\b\ufffd^\ufffd\\u0000?\ufffd\u852f\ufffd\ufffd\u054d\ufffd8\ufffdy\ufffd7\ufffd+\ufffd\u0026\ufffd\ufffd\ufffd*\\u0004{\\u0014 y\\u001d\ufffd)c\ufffdH\ufffd\ufffdf\ufffdnS8\ufffd\ufffd!i\ufffdS\ufffdJE+\\u000ej\ufffd\ufffdBdf\ufffd\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0010\\u00000\\u0000.\\bhttp\/0.9\\bhttp\/1.0\\u0006spdy\/1\\u0006spdy\/2\\u0006spdy\/3\\u0003h2c\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\\b\ufffd^\ufffd\\u0000?\ufffd\u852f\ufffd\ufffd\u054d\ufffd8\ufffdy\ufffd7\ufffd+\ufffd\u0026\ufffd\ufffd\ufffd*\\u0004{\\u0014 y\\u001d\ufffd)c\ufffdH\ufffd\ufffdf\ufffdnS8\ufffd\ufffd!i\ufffdS\ufffdJE+\\u000ej\ufffd\ufffdBdf\ufffd\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\\b\ufffd^\ufffd\\u0000?\ufffd\u852f\ufffd\ufffd\u054d\ufffd8\ufffdy\ufffd7\ufffd+\ufffd\u0026\ufffd\ufffd\ufffd*\\u0004{\\u0014 y\\u001d\ufffd)c\ufffdH\ufffd\ufffdf\ufffdnS8\ufffd\ufffd!i\ufffdS\ufffdJE+\\u000ej\ufffd\ufffdBdf\ufffd\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0010\\u00000\\u0000.\\bhttp\/0.9\\bhttp\/1.0\\u0006spdy\/1\\u0006spdy\/2\\u0006spdy\/3\\u0003h2c\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\\b\ufffd^\ufffd\\u0000?\ufffd\u852f\ufffd\ufffd\u054d\ufffd8\ufffdy\ufffd7\ufffd+\ufffd\u0026\ufffd\ufffd\ufffd*\\u0004{\\u0014 y\\u001d\ufffd)c\ufffdH\ufffd\ufffdf\ufffdnS8\ufffd\ufffd!i\ufffdS\ufffdJE+\\u000ej\ufffd\ufffdBdf\ufffd\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221a74cf77c3f0609f4333b4983adc8c282fd52940\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\\b\ufffd^\ufffd\\u0000?\ufffd\u852f\ufffd\ufffd\u054d\ufffd8\ufffdy\ufffd7\ufffd+\ufffd\u0026\ufffd\ufffd\ufffd*\\u0004{\\u0014 y\\u001d\ufffd)c\ufffdH\ufffd\ufffdf\ufffdnS8\ufffd\ufffd!i\ufffdS\ufffdJE+\\u000ej\ufffd\ufffdBdf\ufffd\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022FB\ufffd^\ufffd?\ufffd\u852f\ufffd\ufffd\u054d\ufffd8\ufffdy\ufffd7\ufffd+\ufffd\u0026\ufffd\ufffd\ufffd*{ y\ufffd)c\ufffdH\ufffd\ufffdf\ufffdnS8\ufffd\ufffd!i\ufffdS\ufffdJE+j\ufffd\ufffdBdf\ufffdD\ufffd\ufffd\u0027\ufffd\/\ufffd\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\ufffd\ufffd\\n\/\u003C\ufffd\ufffd\ufffd\ufffd\ufffd5=\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\\b\ufffd^\ufffd\\u0000?\ufffd\u852f\ufffd\ufffd\u054d\ufffd8\ufffdy\ufffd7\ufffd+\ufffd\u0026\ufffd\ufffd\ufffd*\\u0004{\\u0014 y\\u001d\ufffd)c\ufffdH\ufffd\ufffdf\ufffdnS8\ufffd\ufffd!i\ufffdS\ufffdJE+\\u000ej\ufffd\ufffdBdf\ufffd\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022FB\ufffd^\ufffd?\ufffd\u852f\ufffd\ufffd\u054d\ufffd8\ufffdy\ufffd7\ufffd+\ufffd\u0026\ufffd\ufffd\ufffd*{ y\ufffd)c\ufffdH\ufffd\ufffdf\ufffdnS8\ufffd\ufffd!i\ufffdS\ufffdJE+j\ufffd\ufffdBdf\ufffdD\ufffd\ufffd\u0027\ufffd\/\ufffd\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\ufffd\ufffd\\n\/\u003C\ufffd\ufffd\ufffd\ufffd\ufffd5=\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":331},{"id":9689161,"ip":"82.102.31.6","ts":"2026-06-20 00:46:23.000000","proto":"tcp","src_port":59368,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 345, \u0022payload_entropy\u0022: 6.05821641924645, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022571c0464395a7ee3edffbcfa48f36b06\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\\u001f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04ae\ufffdW\ufffdC\\u001bS\ufffd@c\\u0005O\ufffdPLi\\u0016`y\ufffd\\u0005B` (\ufffd\ufffd{#W^\\u0014\ufffd\ufffd\\u001d}\\u0005\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u013e\u0026\\u00132\ufffdcQ\ufffd\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\\u001f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04ae\ufffdW\ufffdC\\u001bS\ufffd@c\\u0005O\ufffdPLi\\u0016`y\ufffd\\u0005B` (\ufffd\ufffd{#W^\\u0014\ufffd\ufffd\\u001d}\\u0005\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u013e\u0026\\u00132\ufffdcQ\ufffd\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0010\\u0000\u003C\\u0000:\\bhttp\/0.9\\bhttp\/1.0\\bhttp\/1.1\\u0006spdy\/1\\u0006spdy\/2\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\\u001f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04ae\ufffdW\ufffdC\\u001bS\ufffd@c\\u0005O\ufffdPLi\\u0016`y\ufffd\\u0005B` (\ufffd\ufffd{#W^\\u0014\ufffd\ufffd\\u001d}\\u0005\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u013e\u0026\\u00132\ufffdcQ\ufffd\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223dac6d63f02e7752c1e67689101ce4e2daf8ab08\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\\u001f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04ae\ufffdW\ufffdC\\u001bS\ufffd@c\\u0005O\ufffdPLi\\u0016`y\ufffd\\u0005B` (\ufffd\ufffd{#W^\\u0014\ufffd\ufffd\\u001d}\\u0005\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u013e\u0026\\u00132\ufffdcQ\ufffd\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022TP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04ae\ufffdW\ufffdCS\ufffd@cO\ufffdPLi`y\ufffdB` (\ufffd\ufffd{#W^\ufffd\ufffd}\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u013e\u00262\ufffdcQ\ufffdF\ufffd\ufffd\ufffd\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\\u001f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04ae\ufffdW\ufffdC\\u001bS\ufffd@c\\u0005O\ufffdPLi\\u0016`y\ufffd\\u0005B` (\ufffd\ufffd{#W^\\u0014\ufffd\ufffd\\u001d}\\u0005\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u013e\u0026\\u00132\ufffdcQ\ufffd\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04ae\ufffdW\ufffdCS\ufffd@cO\ufffdPLi`y\ufffdB` (\ufffd\ufffd{#W^\ufffd\ufffd}\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u013e\u00262\ufffdcQ\ufffdF\ufffd\ufffd\ufffd\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":345},{"id":9689159,"ip":"82.102.31.6","ts":"2026-06-20 00:46:22.000000","proto":"tcp","src_port":59366,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 424, \u0022payload_entropy\u0022: 5.964837305605043, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b25c6154323f0bd8e4993d52086cba7f\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003C\u0200\ufffdx\ufffd\\u001c\ufffdJ\u00c3\\\\P\ufffd\ufffd\ufffd\uc052\ufffd\\u0016\ufffd\ufffdA\\u0004\ufffdD\\u0005Z\ufffd\ufffd\\r D\\\u0022O\ufffdJ\ufffd\ufffd\ufffdO\ufffdk\ufffd\ufffd\\u0007r\ufffd\\u0003\ufffd\ufffdu\ufffd8\ufffd\ufffd\u003C]\ufffd\\u0016\\u0011\ufffdp\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003C\u0200\ufffdx\ufffd\\u001c\ufffdJ\u00c3\\\\P\ufffd\ufffd\ufffd\uc052\ufffd\\u0016\ufffd\ufffdA\\u0004\ufffdD\\u0005Z\ufffd\ufffd\\r D\\\u0022O\ufffdJ\ufffd\ufffd\ufffdO\ufffdk\ufffd\ufffd\\u0007r\ufffd\\u0003\ufffd\ufffdu\ufffd8\ufffd\ufffd\u003C]\ufffd\\u0016\\u0011\ufffdp\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\ufffdv\ufffda\ufffd`\ufffd0\ufffd(\ufffd\\u0014\ufffd\/\ufffd\u0027\ufffd\\u0013\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003C\u0200\ufffdx\ufffd\\u001c\ufffdJ\u00c3\\\\P\ufffd\ufffd\ufffd\uc052\ufffd\\u0016\ufffd\ufffdA\\u0004\ufffdD\\u0005Z\ufffd\ufffd\\r D\\\u0022O\ufffdJ\ufffd\ufffd\ufffdO\ufffdk\ufffd\ufffd\\u0007r\ufffd\\u0003\ufffd\ufffdu\ufffd8\ufffd\ufffd\u003C]\ufffd\\u0016\\u0011\ufffdp\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ae9aa3578739041030721f654aa0b886ed142a2a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003C\u0200\ufffdx\ufffd\\u001c\ufffdJ\u00c3\\\\P\ufffd\ufffd\ufffd\uc052\ufffd\\u0016\ufffd\ufffdA\\u0004\ufffdD\\u0005Z\ufffd\ufffd\\r D\\\u0022O\ufffdJ\ufffd\ufffd\ufffdO\ufffdk\ufffd\ufffd\\u0007r\ufffd\\u0003\ufffd\ufffdu\ufffd8\ufffd\ufffd\u003C]\ufffd\\u0016\\u0011\ufffdp\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdC\u0200\ufffdx\ufffd\ufffdJ\u00c3\\\\P\ufffd\ufffd\ufffd\uc052\ufffd\ufffd\ufffdA\ufffdDZ\ufffd\ufffd\\r D\\\u0022O\ufffdJ\ufffd\ufffd\ufffdO\ufffdk\ufffd\ufffdr\ufffd\ufffd\ufffdu\ufffd8\ufffd\ufffd\u003C]\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003C\u0200\ufffdx\ufffd\\u001c\ufffdJ\u00c3\\\\P\ufffd\ufffd\ufffd\uc052\ufffd\\u0016\ufffd\ufffdA\\u0004\ufffdD\\u0005Z\ufffd\ufffd\\r D\\\u0022O\ufffdJ\ufffd\ufffd\ufffdO\ufffdk\ufffd\ufffd\\u0007r\ufffd\\u0003\ufffd\ufffdu\ufffd8\ufffd\ufffd\u003C]\ufffd\\u0016\\u0011\ufffdp\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdC\u0200\ufffdx\ufffd\ufffdJ\u00c3\\\\P\ufffd\ufffd\ufffd\uc052\ufffd\ufffd\ufffdA\ufffdDZ\ufffd\ufffd\\r D\\\u0022O\ufffdJ\ufffd\ufffd\ufffdO\ufffdk\ufffd\ufffdr\ufffd\ufffd\ufffdu\ufffd8\ufffd\ufffd\u003C]\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":424},{"id":9689158,"ip":"82.102.31.6","ts":"2026-06-20 00:46:21.000000","proto":"tcp","src_port":44420,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 424, \u0022payload_entropy\u0022: 5.9975044840187826, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229231fd87243c174692031d1811d42f4a\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003hL\ufffd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\ufffd5\\u001e]\ufffd\ufffd\ufffd\ufffdtG\ufffd\ufffdr\ufffdG\ufffd:\ufffd\u0220\ufffd* \u031c\\u0006\ufffd\\u001e\\u0006\\u000b\\u0010\\u0004U=\ufffd\u036bN\ufffd\ufffdb\\u00109\ufffd\\f\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdm\ufffd3\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003hL\ufffd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\ufffd5\\u001e]\ufffd\ufffd\ufffd\ufffdtG\ufffd\ufffdr\ufffdG\ufffd:\ufffd\u0220\ufffd* \u031c\\u0006\ufffd\\u001e\\u0006\\u000b\\u0010\\u0004U=\ufffd\u036bN\ufffd\ufffdb\\u00109\ufffd\\f\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdm\ufffd3\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003hL\ufffd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\ufffd5\\u001e]\ufffd\ufffd\ufffd\ufffdtG\ufffd\ufffdr\ufffdG\ufffd:\ufffd\u0220\ufffd* \u031c\\u0006\ufffd\\u001e\\u0006\\u000b\\u0010\\u0004U=\ufffd\u036bN\ufffd\ufffdb\\u00109\ufffd\\f\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdm\ufffd3\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223aaa8b5c02772d7b55a30f1c8dbcbc2865100970\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003hL\ufffd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\ufffd5\\u001e]\ufffd\ufffd\ufffd\ufffdtG\ufffd\ufffdr\ufffdG\ufffd:\ufffd\u0220\ufffd* \u031c\\u0006\ufffd\\u001e\\u0006\\u000b\\u0010\\u0004U=\ufffd\u036bN\ufffd\ufffdb\\u00109\ufffd\\f\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdm\ufffd3\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdhL\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd5]\ufffd\ufffd\ufffd\ufffdtG\ufffd\ufffdr\ufffdG\ufffd:\ufffd\u0220\ufffd* \u031c\ufffdU=\ufffd\u036bN\ufffd\ufffdb9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdm\ufffd3\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003hL\ufffd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\ufffd5\\u001e]\ufffd\ufffd\ufffd\ufffdtG\ufffd\ufffdr\ufffdG\ufffd:\ufffd\u0220\ufffd* \u031c\\u0006\ufffd\\u001e\\u0006\\u000b\\u0010\\u0004U=\ufffd\u036bN\ufffd\ufffdb\\u00109\ufffd\\f\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdm\ufffd3\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdhL\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd5]\ufffd\ufffd\ufffd\ufffdtG\ufffd\ufffdr\ufffdG\ufffd:\ufffd\u0220\ufffd* \u031c\ufffdU=\ufffd\u036bN\ufffd\ufffdb9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdm\ufffd3\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":424},{"id":9689157,"ip":"82.102.31.6","ts":"2026-06-20 00:46:19.000000","proto":"tcp","src_port":44418,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 3.9108471820357513, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d9b2f5cc24d0f4d62d6df64f8afde314\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd5\\u001b\ufffd\\u0017\u00266?\ufffd\ufffdN\ufffd\\u001d\ufffd\\u000b\ufffd\ufffdK\ufffd\u003EW\\u0016,\\u0010\ufffd\ufffdUl\ufffd:\\\u0022\ufffd {\ufffd\ufffd\ufffd\\\u0022A\ufffd\ufffd\\b\\u0013\ufffd\ufffd\u062d\ufffd\ufffd\u003C\ufffd\u0027\u00a8\\u001d\ufffd\ufffd\ufffdd\u0528\\u0014\ufffd\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd5\\u001b\ufffd\\u0017\u00266?\ufffd\ufffdN\ufffd\\u001d\ufffd\\u000b\ufffd\ufffdK\ufffd\u003EW\\u0016,\\u0010\ufffd\ufffdUl\ufffd:\\\u0022\ufffd {\ufffd\ufffd\ufffd\\\u0022A\ufffd\ufffd\\b\\u0013\ufffd\ufffd\u062d\ufffd\ufffd\u003C\ufffd\u0027\u00a8\\u001d\ufffd\ufffd\ufffdd\u0528\\u0014\ufffd\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\\u0000\ufffd\\u0000=\\u0000\u003C\\u00005\\u0000\/\\u0000\ufffd\\u0001\\u0000\\u0001u\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\\u0003\\u0001\\u0003\\u0002\\u0004\\u0002\\u0005\\u0002\\u0006\\u0002\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u0000-\\u0000\\u0002\\u0001\\u0001\\u00003\\u0000\u0026\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd5\\u001b\ufffd\\u0017\u00266?\ufffd\ufffdN\ufffd\\u001d\ufffd\\u000b\ufffd\ufffdK\ufffd\u003EW\\u0016,\\u0010\ufffd\ufffdUl\ufffd:\\\u0022\ufffd {\ufffd\ufffd\ufffd\\\u0022A\ufffd\ufffd\\b\\u0013\ufffd\ufffd\u062d\ufffd\ufffd\u003C\ufffd\u0027\u00a8\\u001d\ufffd\ufffd\ufffdd\u0528\\u0014\ufffd\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002211872c1e93b55db4b9ba4a7c8b7995dabf7eae9d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd5\\u001b\ufffd\\u0017\u00266?\ufffd\ufffdN\ufffd\\u001d\ufffd\\u000b\ufffd\ufffdK\ufffd\u003EW\\u0016,\\u0010\ufffd\ufffdUl\ufffd:\\\u0022\ufffd {\ufffd\ufffd\ufffd\\\u0022A\ufffd\ufffd\\b\\u0013\ufffd\ufffd\u062d\ufffd\ufffd\u003C\ufffd\u0027\u00a8\\u001d\ufffd\ufffd\ufffdd\u0528\\u0014\ufffd\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd5\ufffd\u00266?\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffdK\ufffd\u003EW,\ufffd\ufffdUl\ufffd:\\\u0022\ufffd {\ufffd\ufffd\ufffd\\\u0022A\ufffd\ufffd\ufffd\ufffd\u062d\ufffd\ufffd\u003C\ufffd\u0027\u00a8\ufffd\ufffd\ufffdd\u0528\ufffd\ufffd\ufffd\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd5\\u001b\ufffd\\u0017\u00266?\ufffd\ufffdN\ufffd\\u001d\ufffd\\u000b\ufffd\ufffdK\ufffd\u003EW\\u0016,\\u0010\ufffd\ufffdUl\ufffd:\\\u0022\ufffd {\ufffd\ufffd\ufffd\\\u0022A\ufffd\ufffd\\b\\u0013\ufffd\ufffd\u062d\ufffd\ufffd\u003C\ufffd\u0027\u00a8\\u001d\ufffd\ufffd\ufffdd\u0528\\u0014\ufffd\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd5\ufffd\u00266?\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffdK\ufffd\u003EW,\ufffd\ufffdUl\ufffd:\\\u0022\ufffd {\ufffd\ufffd\ufffd\\\u0022A\ufffd\ufffd\ufffd\ufffd\u062d\ufffd\ufffd\u003C\ufffd\u0027\u00a8\ufffd\ufffd\ufffdd\u0528\ufffd\ufffd\ufffd\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":517},{"id":9618137,"ip":"82.102.31.6","ts":"2026-06-18 23:49:13.000000","proto":"tcp","src_port":60810,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 439, \u0022payload_entropy\u0022: 6.044500084061821, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002227d9ad04fc5ae0087e926da2d38da490\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003v\ufffd\ufffd\ufffd\ufffd\ufffd\\u00060(\ufffd\ufffdKt\ufffd=\ufffd\ufffd\ufffd75\ufffdiIkE\ufffd\ufffdvr\u0314\\\u0022 \ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdO\u039c}\uf45fP\ufffd\ufffd\\t(31FF\ufffd\\u001f,|\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003v\ufffd\ufffd\ufffd\ufffd\ufffd\\u00060(\ufffd\ufffdKt\ufffd=\ufffd\ufffd\ufffd75\ufffdiIkE\ufffd\ufffdvr\u0314\\\u0022 \ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdO\u039c}\uf45fP\ufffd\ufffd\\t(31FF\ufffd\\u001f,|\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\ufffd\\n\\u0013\\u0004\ufffd+\\u0013\\u0003\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\\u0011\ufffd#\\u0000\\n\ufffd\\t\\u0000\/\ufffd\\b\\u0000\u003C\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000E\\u0000=\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000k\\u0000A\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\\u0007\\u0000g\\u0000\\u0004\\u00003\\u0000\\u0005\\u0000\\u0016\\u0001\\u0000\\u0000\ufffdZZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003v\ufffd\ufffd\ufffd\ufffd\ufffd\\u00060(\ufffd\ufffdKt\ufffd=\ufffd\ufffd\ufffd75\ufffdiIkE\ufffd\ufffdvr\u0314\\\u0022 \ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdO\u039c}\uf45fP\ufffd\ufffd\\t(31FF\ufffd\\u001f,|\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003v\ufffd\ufffd\ufffd\ufffd\ufffd\\u00060(\ufffd\ufffdKt\ufffd=\ufffd\ufffd\ufffd75\ufffdiIkE\ufffd\ufffdvr\u0314\\\u0022 \ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdO\u039c}\uf45fP\ufffd\ufffd\\t(31FF\ufffd\\u001f,|\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\ufffd\\n\\u0013\\u0004\ufffd+\\u0013\\u0003\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\\u0011\ufffd#\\u0000\\n\ufffd\\t\\u0000\/\ufffd\\b\\u0000\u003C\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000E\\u0000=\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000k\\u0000A\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\\u0007\\u0000g\\u0000\\u0004\\u00003\\u0000\\u0005\\u0000\\u0016\\u0001\\u0000\\u0000\ufffdZZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003v\ufffd\ufffd\ufffd\ufffd\ufffd\\u00060(\ufffd\ufffdKt\ufffd=\ufffd\ufffd\ufffd75\ufffdiIkE\ufffd\ufffdvr\u0314\\\u0022 \ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdO\u039c}\uf45fP\ufffd\ufffd\\t(31FF\ufffd\\u001f,|\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225595b55377f60bda4f80a6bf659257ceaa265973\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003v\ufffd\ufffd\ufffd\ufffd\ufffd\\u00060(\ufffd\ufffdKt\ufffd=\ufffd\ufffd\ufffd75\ufffdiIkE\ufffd\ufffdvr\u0314\\\u0022 \ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdO\u039c}\uf45fP\ufffd\ufffd\\t(31FF\ufffd\\u001f,|\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd0(\ufffd\ufffdKt\ufffd=\ufffd\ufffd\ufffd75\ufffdiIkE\ufffd\ufffdvr\u0314\\\u0022 \ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdO\u039c}\uf45fP\ufffd\ufffd\\t(31FF\ufffd,|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003v\ufffd\ufffd\ufffd\ufffd\ufffd\\u00060(\ufffd\ufffdKt\ufffd=\ufffd\ufffd\ufffd75\ufffdiIkE\ufffd\ufffdvr\u0314\\\u0022 \ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdO\u039c}\uf45fP\ufffd\ufffd\\t(31FF\ufffd\\u001f,|\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd0(\ufffd\ufffdKt\ufffd=\ufffd\ufffd\ufffd75\ufffdiIkE\ufffd\ufffdvr\u0314\\\u0022 \ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdO\u039c}\uf45fP\ufffd\ufffd\\t(31FF\ufffd,|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":439},{"id":9618134,"ip":"82.102.31.6","ts":"2026-06-18 23:49:12.000000","proto":"tcp","src_port":60798,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 416, \u0022payload_entropy\u0022: 5.964687832519071, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022694468500a917f32575c48a9277ba80a\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffde\\u0000\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffdo\ufffdY\ufffd:Z+wH\ufffd.4\ufffd\u01c3H\u0752+X\\tF \ufffd\ufffd\\u001fy\ufffd\ufffd\ufffdl0\ufffd\ufffd8\\\\V\u0163\\u001a\ufffdQ\ufffd3\\\u0022\\u0014Bli\ufffd\\u0004:\\\u0022\\u0002\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffde\\u0000\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffdo\ufffdY\ufffd:Z+wH\ufffd.4\ufffd\u01c3H\u0752+X\\tF \ufffd\ufffd\\u001fy\ufffd\ufffd\ufffdl0\ufffd\ufffd8\\\\V\u0163\\u001a\ufffdQ\ufffd3\\\u0022\\u0014Bli\ufffd\\u0004:\\\u0022\\u0002\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffde\\u0000\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffdo\ufffdY\ufffd:Z+wH\ufffd.4\ufffd\u01c3H\u0752+X\\tF \ufffd\ufffd\\u001fy\ufffd\ufffd\ufffdl0\ufffd\ufffd8\\\\V\u0163\\u001a\ufffdQ\ufffd3\\\u0022\\u0014Bli\ufffd\\u0004:\\\u0022\\u0002\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002236a266aa165950669b8369c4f8ff7dd16f65f8d0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffde\\u0000\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffdo\ufffdY\ufffd:Z+wH\ufffd.4\ufffd\u01c3H\u0752+X\\tF \ufffd\ufffd\\u001fy\ufffd\ufffd\ufffdl0\ufffd\ufffd8\\\\V\u0163\\u001a\ufffdQ\ufffd3\\\u0022\\u0014Bli\ufffd\\u0004:\\\u0022\\u0002\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffde\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffdo\ufffdY\ufffd:Z+wH\ufffd.4\ufffd\u01c3H\u0752+X\\tF \ufffd\ufffdy\ufffd\ufffd\ufffdl0\ufffd\ufffd8\\\\V\u0163\ufffdQ\ufffd3\\\u0022Bli\ufffd:\\\u0022\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffde\\u0000\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffdo\ufffdY\ufffd:Z+wH\ufffd.4\ufffd\u01c3H\u0752+X\\tF \ufffd\ufffd\\u001fy\ufffd\ufffd\ufffdl0\ufffd\ufffd8\\\\V\u0163\\u001a\ufffdQ\ufffd3\\\u0022\\u0014Bli\ufffd\\u0004:\\\u0022\\u0002\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffde\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffdo\ufffdY\ufffd:Z+wH\ufffd.4\ufffd\u01c3H\u0752+X\\tF \ufffd\ufffdy\ufffd\ufffd\ufffdl0\ufffd\ufffd8\\\\V\u0163\ufffdQ\ufffd3\\\u0022Bli\ufffd:\\\u0022\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":416},{"id":9618128,"ip":"82.102.31.6","ts":"2026-06-18 23:49:11.000000","proto":"tcp","src_port":58278,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 426, \u0022payload_entropy\u0022: 5.9976002540113305, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228c818410de1e58ba6c5a1a6e6d39f55d\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003Vz\u074b|y\ufffdG|c\ufffd\ufffd\\u0018\ufffd\\b\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd\ufffdT\\u0017\ufffd\\t\ufffd%\ufffd \ufffd\ufffd\u0360!\ufffd`\ufffdLL\ufffd\ufffdR9\ufffd\\u0005\\u0010\ufffdDD\\u0002\ufffd_\ufffdB\ufffd\ufffd\ufffdB\ufffdx\\\\\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003Vz\u074b|y\ufffdG|c\ufffd\ufffd\\u0018\ufffd\\b\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd\ufffdT\\u0017\ufffd\\t\ufffd%\ufffd \ufffd\ufffd\u0360!\ufffd`\ufffdLL\ufffd\ufffdR9\ufffd\\u0005\\u0010\ufffdDD\\u0002\ufffd_\ufffdB\ufffd\ufffd\ufffdB\ufffdx\\\\\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003Vz\u074b|y\ufffdG|c\ufffd\ufffd\\u0018\ufffd\\b\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd\ufffdT\\u0017\ufffd\\t\ufffd%\ufffd \ufffd\ufffd\u0360!\ufffd`\ufffdLL\ufffd\ufffdR9\ufffd\\u0005\\u0010\ufffdDD\\u0002\ufffd_\ufffdB\ufffd\ufffd\ufffdB\ufffdx\\\\\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bd123699bb6e0931a198733cc721c3fdb4bb11be\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003Vz\u074b|y\ufffdG|c\ufffd\ufffd\\u0018\ufffd\\b\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd\ufffdT\\u0017\ufffd\\t\ufffd%\ufffd \ufffd\ufffd\u0360!\ufffd`\ufffdLL\ufffd\ufffdR9\ufffd\\u0005\\u0010\ufffdDD\\u0002\ufffd_\ufffdB\ufffd\ufffd\ufffdB\ufffdx\\\\\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdVz\u074b|y\ufffdG|c\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd\ufffdT\ufffd\\t\ufffd%\ufffd \ufffd\ufffd\u0360!\ufffd`\ufffdLL\ufffd\ufffdR9\ufffd\ufffdDD\ufffd_\ufffdB\ufffd\ufffd\ufffdB\ufffdx\\\\\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003Vz\u074b|y\ufffdG|c\ufffd\ufffd\\u0018\ufffd\\b\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd\ufffdT\\u0017\ufffd\\t\ufffd%\ufffd \ufffd\ufffd\u0360!\ufffd`\ufffdLL\ufffd\ufffdR9\ufffd\\u0005\\u0010\ufffdDD\\u0002\ufffd_\ufffdB\ufffd\ufffd\ufffdB\ufffdx\\\\\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdVz\u074b|y\ufffdG|c\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd\ufffdT\ufffd\\t\ufffd%\ufffd \ufffd\ufffd\u0360!\ufffd`\ufffdLL\ufffd\ufffdR9\ufffd\ufffdDD\ufffd_\ufffdB\ufffd\ufffd\ufffdB\ufffdx\\\\\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":426},{"id":9618131,"ip":"82.102.31.6","ts":"2026-06-18 23:49:11.000000","proto":"tcp","src_port":58280,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 426, \u0022payload_entropy\u0022: 6.028192872641822, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002246ed1130528f6bbcb38fa15030066257\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd5I\u4d29-p{\\u0011P\ufffd9i_\\u001e\ufffd\\u0003Y\ufffd\ufffd\ufffd\ufffd\\\u0022%\/\ufffd\\u0006\u003E\ufffdy} \ufffd\ufffd\ufffd%a\ufffdI\ufffd\\u000e\ufffdD\\u001d\ufffdl\ufffd\ufffd\ufffd\ufffd\ufffdE\\f\\u0005\ufffd6]\ufffd\ufffd}Qr\\u000e(\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd5I\u4d29-p{\\u0011P\ufffd9i_\\u001e\ufffd\\u0003Y\ufffd\ufffd\ufffd\ufffd\\\u0022%\/\ufffd\\u0006\u003E\ufffdy} \ufffd\ufffd\ufffd%a\ufffdI\ufffd\\u000e\ufffdD\\u001d\ufffdl\ufffd\ufffd\ufffd\ufffd\ufffdE\\f\\u0005\ufffd6]\ufffd\ufffd}Qr\\u000e(\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\ufffdv\ufffda\ufffd`\ufffd0\ufffd(\ufffd\\u0014\ufffd\/\ufffd\u0027\ufffd\\u0013\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd5I\u4d29-p{\\u0011P\ufffd9i_\\u001e\ufffd\\u0003Y\ufffd\ufffd\ufffd\ufffd\\\u0022%\/\ufffd\\u0006\u003E\ufffdy} \ufffd\ufffd\ufffd%a\ufffdI\ufffd\\u000e\ufffdD\\u001d\ufffdl\ufffd\ufffd\ufffd\ufffd\ufffdE\\f\\u0005\ufffd6]\ufffd\ufffd}Qr\\u000e(\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eb307e09886c91a9bb115580052bc042a5e4189e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd5I\u4d29-p{\\u0011P\ufffd9i_\\u001e\ufffd\\u0003Y\ufffd\ufffd\ufffd\ufffd\\\u0022%\/\ufffd\\u0006\u003E\ufffdy} \ufffd\ufffd\ufffd%a\ufffdI\ufffd\\u000e\ufffdD\\u001d\ufffdl\ufffd\ufffd\ufffd\ufffd\ufffdE\\f\\u0005\ufffd6]\ufffd\ufffd}Qr\\u000e(\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd5I\u4d29-p{P\ufffd9i_\ufffdY\ufffd\ufffd\ufffd\ufffd\\\u0022%\/\ufffd\u003E\ufffdy} \ufffd\ufffd\ufffd%a\ufffdI\ufffd\ufffdD\ufffdl\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd6]\ufffd\ufffd}Qr(\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd5I\u4d29-p{\\u0011P\ufffd9i_\\u001e\ufffd\\u0003Y\ufffd\ufffd\ufffd\ufffd\\\u0022%\/\ufffd\\u0006\u003E\ufffdy} \ufffd\ufffd\ufffd%a\ufffdI\ufffd\\u000e\ufffdD\\u001d\ufffdl\ufffd\ufffd\ufffd\ufffd\ufffdE\\f\\u0005\ufffd6]\ufffd\ufffd}Qr\\u000e(\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd5I\u4d29-p{P\ufffd9i_\ufffdY\ufffd\ufffd\ufffd\ufffd\\\u0022%\/\ufffd\u003E\ufffdy} \ufffd\ufffd\ufffd%a\ufffdI\ufffd\ufffdD\ufffdl\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd6]\ufffd\ufffd}Qr(\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":426},{"id":9618127,"ip":"82.102.31.6","ts":"2026-06-18 23:49:10.000000","proto":"tcp","src_port":58270,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 413, \u0022payload_entropy\u0022: 6.018348840848087, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022727b60df772892bd21e089a9efe7a3f9\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\\u0004\ufffd8\ufffdZ\ufffd\\u001c\ufffd\ufffd9f\\u001b!7Z~\\u00179\u003C\ufffd\ufffd=\ufffd\ufffd|lD\u003Ext\ufffd3 \ufffdu\\u0018a \ufffdaL\ufffd\ufffdI\ufffd\\u0003\ufffd\ufffd\\u0003i\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\\u0004\ufffd8\ufffdZ\ufffd\\u001c\ufffd\ufffd9f\\u001b!7Z~\\u00179\u003C\ufffd\ufffd=\ufffd\ufffd|lD\u003Ext\ufffd3 \ufffdu\\u0018a \ufffdaL\ufffd\ufffdI\ufffd\\u0003\ufffd\ufffd\\u0003i\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\\u0004\ufffd8\ufffdZ\ufffd\\u001c\ufffd\ufffd9f\\u001b!7Z~\\u00179\u003C\ufffd\ufffd=\ufffd\ufffd|lD\u003Ext\ufffd3 \ufffdu\\u0018a \ufffdaL\ufffd\ufffdI\ufffd\\u0003\ufffd\ufffd\\u0003i\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cb03cf965d01a746b3d5070d4ee02387ca901088\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\\u0004\ufffd8\ufffdZ\ufffd\\u001c\ufffd\ufffd9f\\u001b!7Z~\\u00179\u003C\ufffd\ufffd=\ufffd\ufffd|lD\u003Ext\ufffd3 \ufffdu\\u0018a \ufffdaL\ufffd\ufffdI\ufffd\\u0003\ufffd\ufffd\\u0003i\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd8\ufffdZ\ufffd\ufffd\ufffd9f!7Z~9\u003C\ufffd\ufffd=\ufffd\ufffd|lD\u003Ext\ufffd3 \ufffdua \ufffdaL\ufffd\ufffdI\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\\u0004\ufffd8\ufffdZ\ufffd\\u001c\ufffd\ufffd9f\\u001b!7Z~\\u00179\u003C\ufffd\ufffd=\ufffd\ufffd|lD\u003Ext\ufffd3 \ufffdu\\u0018a \ufffdaL\ufffd\ufffdI\ufffd\\u0003\ufffd\ufffd\\u0003i\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd8\ufffdZ\ufffd\ufffd\ufffd9f!7Z~9\u003C\ufffd\ufffd=\ufffd\ufffd|lD\u003Ext\ufffd3 \ufffdua \ufffdaL\ufffd\ufffdI\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":413},{"id":9618125,"ip":"82.102.31.6","ts":"2026-06-18 23:49:09.000000","proto":"tcp","src_port":58268,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 412, \u0022payload_entropy\u0022: 5.96095018116557, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022dcd7e339c36b71645c141f4f06ad048a\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003 (\ufffd\ufffdjp\ufffd.n\ufffdcs\ufffd\\u0005w\ufffd\ufffd5\ufffd\ufffdy\ufffd\\f\\fd\\u0019M\ufffd\\\u0022\u027b \ufffdkm\ufffd\ufffd\ufffd\ufffd\\u0018pi\\n\ufffd4\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdY\ufffdH\ufffddT\ufffd\ufffd\\u0005\ufffdI\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003 (\ufffd\ufffdjp\ufffd.n\ufffdcs\ufffd\\u0005w\ufffd\ufffd5\ufffd\ufffdy\ufffd\\f\\fd\\u0019M\ufffd\\\u0022\u027b \ufffdkm\ufffd\ufffd\ufffd\ufffd\\u0018pi\\n\ufffd4\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdY\ufffdH\ufffddT\ufffd\ufffd\\u0005\ufffdI\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\ufffd\\n\\u0013\\u0004\ufffd+\\u0013\\u0003\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\\u0011\ufffd#\\u0000\\n\ufffd\\t\\u0000\/\ufffd\\b\\u0000\u003C\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000E\\u0000=\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000k\\u0000A\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\\u0007\\u0000g\\u0000\\u0004\\u00003\\u0000\\u0005\\u0000\\u0016\\u0001\\u0000\\u0000\ufffdZZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003 (\ufffd\ufffdjp\ufffd.n\ufffdcs\ufffd\\u0005w\ufffd\ufffd5\ufffd\ufffdy\ufffd\\f\\fd\\u0019M\ufffd\\\u0022\u027b \ufffdkm\ufffd\ufffd\ufffd\ufffd\\u0018pi\\n\ufffd4\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdY\ufffdH\ufffddT\ufffd\ufffd\\u0005\ufffdI\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220da1ae315c2a8316f96a6f7e84d215c116c021d9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003 (\ufffd\ufffdjp\ufffd.n\ufffdcs\ufffd\\u0005w\ufffd\ufffd5\ufffd\ufffdy\ufffd\\f\\fd\\u0019M\ufffd\\\u0022\u027b \ufffdkm\ufffd\ufffd\ufffd\ufffd\\u0018pi\\n\ufffd4\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdY\ufffdH\ufffddT\ufffd\ufffd\\u0005\ufffdI\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd (\ufffd\ufffdjp\ufffd.n\ufffdcs\ufffdw\ufffd\ufffd5\ufffd\ufffdy\ufffddM\ufffd\\\u0022\u027b \ufffdkm\ufffd\ufffd\ufffd\ufffdpi\\n\ufffd4\ufffd\ufffd\ufffd\ufffd\ufffdY\ufffdH\ufffddT\ufffd\ufffd\ufffdI\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003 (\ufffd\ufffdjp\ufffd.n\ufffdcs\ufffd\\u0005w\ufffd\ufffd5\ufffd\ufffdy\ufffd\\f\\fd\\u0019M\ufffd\\\u0022\u027b \ufffdkm\ufffd\ufffd\ufffd\ufffd\\u0018pi\\n\ufffd4\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdY\ufffdH\ufffddT\ufffd\ufffd\\u0005\ufffdI\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd (\ufffd\ufffdjp\ufffd.n\ufffdcs\ufffdw\ufffd\ufffd5\ufffd\ufffdy\ufffddM\ufffd\\\u0022\u027b \ufffdkm\ufffd\ufffd\ufffd\ufffdpi\\n\ufffd4\ufffd\ufffd\ufffd\ufffd\ufffdY\ufffdH\ufffddT\ufffd\ufffd\ufffdI\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":412},{"id":9618124,"ip":"82.102.31.6","ts":"2026-06-18 23:49:08.000000","proto":"tcp","src_port":58254,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 331, \u0022payload_entropy\u0022: 6.008713026471873, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022efb49cb1b4357fa0d46aeecda2fa044e\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\ufffd\ufffd\ufffd|\ufffd\\u001d\ufffd\\\u0022\\u0007\ufffd\ufffd\ufffd5\ufffd)x`\\u001c\ufffd\u003Cv\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffdz\ufffd `\ufffdA\ufffd\\u001b\ufffd\ufffdr\\r\ufffd}\ufffd\u0614\ufffd\ufffd\ufffd\ufffd6\\b\ufffd\\u0018aG\ufffd\u02ab|c\ufffdF!\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\ufffd\ufffd\ufffd|\ufffd\\u001d\ufffd\\\u0022\\u0007\ufffd\ufffd\ufffd5\ufffd)x`\\u001c\ufffd\u003Cv\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffdz\ufffd `\ufffdA\ufffd\\u001b\ufffd\ufffdr\\r\ufffd}\ufffd\u0614\ufffd\ufffd\ufffd\ufffd6\\b\ufffd\\u0018aG\ufffd\u02ab|c\ufffdF!\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0010\\u00000\\u0000.\\bhttp\/0.9\\bhttp\/1.0\\u0006spdy\/1\\u0006spdy\/2\\u0006spdy\/3\\u0003h2c\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\ufffd\ufffd\ufffd|\ufffd\\u001d\ufffd\\\u0022\\u0007\ufffd\ufffd\ufffd5\ufffd)x`\\u001c\ufffd\u003Cv\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffdz\ufffd `\ufffdA\ufffd\\u001b\ufffd\ufffdr\\r\ufffd}\ufffd\u0614\ufffd\ufffd\ufffd\ufffd6\\b\ufffd\\u0018aG\ufffd\u02ab|c\ufffdF!\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221944e78b96485357db6a31f39bd9cad4741745c8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\ufffd\ufffd\ufffd|\ufffd\\u001d\ufffd\\\u0022\\u0007\ufffd\ufffd\ufffd5\ufffd)x`\\u001c\ufffd\u003Cv\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffdz\ufffd `\ufffdA\ufffd\\u001b\ufffd\ufffdr\\r\ufffd}\ufffd\u0614\ufffd\ufffd\ufffd\ufffd6\\b\ufffd\\u0018aG\ufffd\u02ab|c\ufffdF!\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022FB\ufffd\ufffd\ufffd|\ufffd\ufffd\\\u0022\ufffd\ufffd\ufffd5\ufffd)x`\ufffd\u003Cv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd `\ufffdA\ufffd\ufffd\ufffdr\\r\ufffd}\ufffd\u0614\ufffd\ufffd\ufffd\ufffd6\ufffdaG\ufffd\u02ab|c\ufffdF!D\ufffd\ufffd\u0027\ufffd\/\ufffd\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\ufffd\ufffd\\n\/\u003C\ufffd\ufffd\ufffd\ufffd\ufffd5=\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\ufffd\ufffd\ufffd|\ufffd\\u001d\ufffd\\\u0022\\u0007\ufffd\ufffd\ufffd5\ufffd)x`\\u001c\ufffd\u003Cv\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffdz\ufffd `\ufffdA\ufffd\\u001b\ufffd\ufffdr\\r\ufffd}\ufffd\u0614\ufffd\ufffd\ufffd\ufffd6\\b\ufffd\\u0018aG\ufffd\u02ab|c\ufffdF!\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022FB\ufffd\ufffd\ufffd|\ufffd\ufffd\\\u0022\ufffd\ufffd\ufffd5\ufffd)x`\ufffd\u003Cv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd `\ufffdA\ufffd\ufffd\ufffdr\\r\ufffd}\ufffd\u0614\ufffd\ufffd\ufffd\ufffd6\ufffdaG\ufffd\u02ab|c\ufffdF!D\ufffd\ufffd\u0027\ufffd\/\ufffd\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\ufffd\ufffd\\n\/\u003C\ufffd\ufffd\ufffd\ufffd\ufffd5=\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":331},{"id":9618123,"ip":"82.102.31.6","ts":"2026-06-18 23:49:07.000000","proto":"tcp","src_port":58240,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 345, \u0022payload_entropy\u0022: 6.073358260804145, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221d7094c40db9fc847ae2f73bc6dec17d\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003,v(\\u000f#\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdcc\ufffd3?\ufffd\\\u0022\ufffdTB\ufffd\\u0006H\ufffd^]j\ufffdd\ufffd zV\ufffd\\u0014\ufffd\\u001f\ufffd\/z\ufffd\ufffdr\ufffd\u03d1\\\\\ufffdVI\ufffdZ\ufffdS\ufffd\u4e2ec\ufffd \\u000b%\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003,v(\\u000f#\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdcc\ufffd3?\ufffd\\\u0022\ufffdTB\ufffd\\u0006H\ufffd^]j\ufffdd\ufffd zV\ufffd\\u0014\ufffd\\u001f\ufffd\/z\ufffd\ufffdr\ufffd\u03d1\\\\\ufffdVI\ufffdZ\ufffdS\ufffd\u4e2ec\ufffd \\u000b%\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0010\\u0000\u003C\\u0000:\\bhttp\/0.9\\bhttp\/1.0\\bhttp\/1.1\\u0006spdy\/1\\u0006spdy\/2\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003,v(\\u000f#\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdcc\ufffd3?\ufffd\\\u0022\ufffdTB\ufffd\\u0006H\ufffd^]j\ufffdd\ufffd zV\ufffd\\u0014\ufffd\\u001f\ufffd\/z\ufffd\ufffdr\ufffd\u03d1\\\\\ufffdVI\ufffdZ\ufffdS\ufffd\u4e2ec\ufffd \\u000b%\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003,v(\\u000f#\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdcc\ufffd3?\ufffd\\\u0022\ufffdTB\ufffd\\u0006H\ufffd^]j\ufffdd\ufffd zV\ufffd\\u0014\ufffd\\u001f\ufffd\/z\ufffd\ufffdr\ufffd\u03d1\\\\\ufffdVI\ufffdZ\ufffdS\ufffd\u4e2ec\ufffd \\u000b%\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0010\\u0000\u003C\\u0000:\\bhttp\/0.9\\bhttp\/1.0\\bhttp\/1.1\\u0006spdy\/1\\u0006spdy\/2\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003,v(\\u000f#\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdcc\ufffd3?\ufffd\\\u0022\ufffdTB\ufffd\\u0006H\ufffd^]j\ufffdd\ufffd zV\ufffd\\u0014\ufffd\\u001f\ufffd\/z\ufffd\ufffdr\ufffd\u03d1\\\\\ufffdVI\ufffdZ\ufffdS\ufffd\u4e2ec\ufffd \\u000b%\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002213ee617b2fed3bd90f361485b70df09fdf09891b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003,v(\\u000f#\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdcc\ufffd3?\ufffd\\\u0022\ufffdTB\ufffd\\u0006H\ufffd^]j\ufffdd\ufffd zV\ufffd\\u0014\ufffd\\u001f\ufffd\/z\ufffd\ufffdr\ufffd\u03d1\\\\\ufffdVI\ufffdZ\ufffdS\ufffd\u4e2ec\ufffd \\u000b%\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022TP,v(#\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdcc\ufffd3?\ufffd\\\u0022\ufffdTB\ufffdH\ufffd^]j\ufffdd\ufffd zV\ufffd\ufffd\ufffd\/z\ufffd\ufffdr\ufffd\u03d1\\\\\ufffdVI\ufffdZ\ufffdS\ufffd\u4e2ec\ufffd %F\ufffd\ufffd\ufffd\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003,v(\\u000f#\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdcc\ufffd3?\ufffd\\\u0022\ufffdTB\ufffd\\u0006H\ufffd^]j\ufffdd\ufffd zV\ufffd\\u0014\ufffd\\u001f\ufffd\/z\ufffd\ufffdr\ufffd\u03d1\\\\\ufffdVI\ufffdZ\ufffdS\ufffd\u4e2ec\ufffd \\u000b%\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TP,v(#\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdcc\ufffd3?\ufffd\\\u0022\ufffdTB\ufffdH\ufffd^]j\ufffdd\ufffd zV\ufffd\ufffd\ufffd\/z\ufffd\ufffdr\ufffd\u03d1\\\\\ufffdVI\ufffdZ\ufffdS\ufffd\u4e2ec\ufffd %F\ufffd\ufffd\ufffd\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":345},{"id":9618121,"ip":"82.102.31.6","ts":"2026-06-18 23:49:06.000000","proto":"tcp","src_port":58222,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 424, \u0022payload_entropy\u0022: 6.028742542317228, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f575bc62c3768370bf3ce638b3907f99\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u040f\ufffd\ufffdWpv\ufffd\ufffd8q\ufffd[N\ufffdUo\ufffd\u032bN\ufffd\\fR\ufffd\ufffdl\ufffd\ufffdU\ufffd y\ufffdW\ufffd\u0712\ufffdB2q;U|\ufffd#\ufffd\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffd\u009b\ufffd0\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u040f\ufffd\ufffdWpv\ufffd\ufffd8q\ufffd[N\ufffdUo\ufffd\u032bN\ufffd\\fR\ufffd\ufffdl\ufffd\ufffdU\ufffd y\ufffdW\ufffd\u0712\ufffdB2q;U|\ufffd#\ufffd\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffd\u009b\ufffd0\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u040f\ufffd\ufffdWpv\ufffd\ufffd8q\ufffd[N\ufffdUo\ufffd\u032bN\ufffd\\fR\ufffd\ufffdl\ufffd\ufffdU\ufffd y\ufffdW\ufffd\u0712\ufffdB2q;U|\ufffd#\ufffd\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffd\u009b\ufffd0\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u040f\ufffd\ufffdWpv\ufffd\ufffd8q\ufffd[N\ufffdUo\ufffd\u032bN\ufffd\\fR\ufffd\ufffdl\ufffd\ufffdU\ufffd y\ufffdW\ufffd\u0712\ufffdB2q;U|\ufffd#\ufffd\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffd\u009b\ufffd0\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u040f\ufffd\ufffdWpv\ufffd\ufffd8q\ufffd[N\ufffdUo\ufffd\u032bN\ufffd\\fR\ufffd\ufffdl\ufffd\ufffdU\ufffd y\ufffdW\ufffd\u0712\ufffdB2q;U|\ufffd#\ufffd\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffd\u009b\ufffd0\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227dcb865c87e96ea35445dd2c1a691443b39c0fb3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u040f\ufffd\ufffdWpv\ufffd\ufffd8q\ufffd[N\ufffdUo\ufffd\u032bN\ufffd\\fR\ufffd\ufffdl\ufffd\ufffdU\ufffd y\ufffdW\ufffd\u0712\ufffdB2q;U|\ufffd#\ufffd\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffd\u009b\ufffd0\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u040f\ufffd\ufffdWpv\ufffd\ufffd8q\ufffd[N\ufffdUo\ufffd\u032bN\ufffdR\ufffd\ufffdl\ufffd\ufffdU\ufffd y\ufffdW\ufffd\u0712\ufffdB2q;U|\ufffd#\ufffd\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffd\u009b\ufffd0\ufffd\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u040f\ufffd\ufffdWpv\ufffd\ufffd8q\ufffd[N\ufffdUo\ufffd\u032bN\ufffd\\fR\ufffd\ufffdl\ufffd\ufffdU\ufffd y\ufffdW\ufffd\u0712\ufffdB2q;U|\ufffd#\ufffd\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffd\u009b\ufffd0\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u040f\ufffd\ufffdWpv\ufffd\ufffd8q\ufffd[N\ufffdUo\ufffd\u032bN\ufffdR\ufffd\ufffdl\ufffd\ufffdU\ufffd y\ufffdW\ufffd\u0712\ufffdB2q;U|\ufffd#\ufffd\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffd\u009b\ufffd0\ufffd\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":424},{"id":9618122,"ip":"82.102.31.6","ts":"2026-06-18 23:49:06.000000","proto":"tcp","src_port":58228,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 424, \u0022payload_entropy\u0022: 5.925274387438222, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225ad243c98493f4e22527ceb490e362de\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdz\ufffde_\\u0011]\ufffd\ufffd\ufffd\ufffdU\\u0000\ufffd\u0026\ufffd\ufffd 8\\rUW\ufffd\\u001d\ufffd\ufffd\ufffd\ufffd\ufffdIX \ufffd\\u0016k\\u0017\ufffdd\\u0002\ufffd\\u0014\\u00105\ufffdj\ufffd\u003E^\ufffd\ufffdDa\ufffd+\ufffd\ufffd\ufffdhK\ufffd\ufffd\ufffd\ufffdG\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdz\ufffde_\\u0011]\ufffd\ufffd\ufffd\ufffdU\\u0000\ufffd\u0026\ufffd\ufffd 8\\rUW\ufffd\\u001d\ufffd\ufffd\ufffd\ufffd\ufffdIX \ufffd\\u0016k\\u0017\ufffdd\\u0002\ufffd\\u0014\\u00105\ufffdj\ufffd\u003E^\ufffd\ufffdDa\ufffd+\ufffd\ufffd\ufffdhK\ufffd\ufffd\ufffd\ufffdG\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\ufffdv\ufffda\ufffd`\ufffd0\ufffd(\ufffd\\u0014\ufffd\/\ufffd\u0027\ufffd\\u0013\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdz\ufffde_\\u0011]\ufffd\ufffd\ufffd\ufffdU\\u0000\ufffd\u0026\ufffd\ufffd 8\\rUW\ufffd\\u001d\ufffd\ufffd\ufffd\ufffd\ufffdIX \ufffd\\u0016k\\u0017\ufffdd\\u0002\ufffd\\u0014\\u00105\ufffdj\ufffd\u003E^\ufffd\ufffdDa\ufffd+\ufffd\ufffd\ufffdhK\ufffd\ufffd\ufffd\ufffdG\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223c68a5b7ac5247285b97a765e245e12ef1d3831f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdz\ufffde_\\u0011]\ufffd\ufffd\ufffd\ufffdU\\u0000\ufffd\u0026\ufffd\ufffd 8\\rUW\ufffd\\u001d\ufffd\ufffd\ufffd\ufffd\ufffdIX \ufffd\\u0016k\\u0017\ufffdd\\u0002\ufffd\\u0014\\u00105\ufffdj\ufffd\u003E^\ufffd\ufffdDa\ufffd+\ufffd\ufffd\ufffdhK\ufffd\ufffd\ufffd\ufffdG\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdz\ufffde_]\ufffd\ufffd\ufffd\ufffdU\ufffd\u0026\ufffd\ufffd 8\\rUW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdIX \ufffdk\ufffdd\ufffd5\ufffdj\ufffd\u003E^\ufffd\ufffdDa\ufffd+\ufffd\ufffd\ufffdhK\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdz\ufffde_\\u0011]\ufffd\ufffd\ufffd\ufffdU\\u0000\ufffd\u0026\ufffd\ufffd 8\\rUW\ufffd\\u001d\ufffd\ufffd\ufffd\ufffd\ufffdIX \ufffd\\u0016k\\u0017\ufffdd\\u0002\ufffd\\u0014\\u00105\ufffdj\ufffd\u003E^\ufffd\ufffdDa\ufffd+\ufffd\ufffd\ufffdhK\ufffd\ufffd\ufffd\ufffdG\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdz\ufffde_]\ufffd\ufffd\ufffd\ufffdU\ufffd\u0026\ufffd\ufffd 8\\rUW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdIX \ufffdk\ufffdd\ufffd5\ufffdj\ufffd\u003E^\ufffd\ufffdDa\ufffd+\ufffd\ufffd\ufffdhK\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":424},{"id":9618119,"ip":"82.102.31.6","ts":"2026-06-18 23:49:04.000000","proto":"tcp","src_port":58212,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 3.8904166501607635, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022eb37891e2e2f2bce1563cb59575b12e6\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdi\ufffd\ufffdS\\u0006\ufffd\ufffd\\f\ufffdfx\ufffd\\u0000\u003C\ufffdU\ufffdM\\\\\ufffd\\n\ufffd\ufffdZ\ufffd\ufffdj\\u000e\ufffdj \ufffd~B\\u0001\\u0001_\ufffd\ufffd\ufffd%x\ufffdu\\\\R\ufffdI\ufffd\\u000eaJ]\ufffd;\u0087\ufffd\u026b\ufffdU\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdi\ufffd\ufffdS\\u0006\ufffd\ufffd\\f\ufffdfx\ufffd\\u0000\u003C\ufffdU\ufffdM\\\\\ufffd\\n\ufffd\ufffdZ\ufffd\ufffdj\\u000e\ufffdj \ufffd~B\\u0001\\u0001_\ufffd\ufffd\ufffd%x\ufffdu\\\\R\ufffdI\ufffd\\u000eaJ]\ufffd;\u0087\ufffd\u026b\ufffdU\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\\u0000\ufffd\\u0000=\\u0000\u003C\\u00005\\u0000\/\\u0000\ufffd\\u0001\\u0000\\u0001u\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\\u0003\\u0001\\u0003\\u0002\\u0004\\u0002\\u0005\\u0002\\u0006\\u0002\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u0000-\\u0000\\u0002\\u0001\\u0001\\u00003\\u0000\u0026\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdi\ufffd\ufffdS\\u0006\ufffd\ufffd\\f\ufffdfx\ufffd\\u0000\u003C\ufffdU\ufffdM\\\\\ufffd\\n\ufffd\ufffdZ\ufffd\ufffdj\\u000e\ufffdj \ufffd~B\\u0001\\u0001_\ufffd\ufffd\ufffd%x\ufffdu\\\\R\ufffdI\ufffd\\u000eaJ]\ufffd;\u0087\ufffd\u026b\ufffdU\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fc6dd2ac99c1698d29340be4f0526b3720b5a393\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdi\ufffd\ufffdS\\u0006\ufffd\ufffd\\f\ufffdfx\ufffd\\u0000\u003C\ufffdU\ufffdM\\\\\ufffd\\n\ufffd\ufffdZ\ufffd\ufffdj\\u000e\ufffdj \ufffd~B\\u0001\\u0001_\ufffd\ufffd\ufffd%x\ufffdu\\\\R\ufffdI\ufffd\\u000eaJ]\ufffd;\u0087\ufffd\u026b\ufffdU\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdi\ufffd\ufffdS\ufffd\ufffd\ufffdfx\ufffd\u003C\ufffdU\ufffdM\\\\\ufffd\\n\ufffd\ufffdZ\ufffd\ufffdj\ufffdj \ufffd~B_\ufffd\ufffd\ufffd%x\ufffdu\\\\R\ufffdI\ufffdaJ]\ufffd;\u0087\ufffd\u026b\ufffdU\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdi\ufffd\ufffdS\\u0006\ufffd\ufffd\\f\ufffdfx\ufffd\\u0000\u003C\ufffdU\ufffdM\\\\\ufffd\\n\ufffd\ufffdZ\ufffd\ufffdj\\u000e\ufffdj \ufffd~B\\u0001\\u0001_\ufffd\ufffd\ufffd%x\ufffdu\\\\R\ufffdI\ufffd\\u000eaJ]\ufffd;\u0087\ufffd\u026b\ufffdU\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdi\ufffd\ufffdS\ufffd\ufffd\ufffdfx\ufffd\u003C\ufffdU\ufffdM\\\\\ufffd\\n\ufffd\ufffdZ\ufffd\ufffdj\ufffdj \ufffd~B_\ufffd\ufffd\ufffd%x\ufffdu\\\\R\ufffdI\ufffdaJ]\ufffd;\u0087\ufffd\u026b\ufffdU\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":517},{"id":9528165,"ip":"82.102.31.6","ts":"2026-06-17 22:50:27.000000","proto":"tcp","src_port":53396,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 439, \u0022payload_entropy\u0022: 5.973212303214398, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e8bddb67a63f1fb84fa49d70a643473d\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\\u0022vH}\\u0007\\nKs\ufffd\\u00076\\u0002Gs.$C\ufffd\ufffd\ufffdE\\u0005RQ\ufffd9\ufffdn\ufffd P8\ufffd9\u003C\ufffd\\u0000hB\ufffd\ufffd\ufffd\u0273\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd+\\u000b~\ufffdm\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\\u0022vH}\\u0007\\nKs\ufffd\\u00076\\u0002Gs.$C\ufffd\ufffd\ufffdE\\u0005RQ\ufffd9\ufffdn\ufffd P8\ufffd9\u003C\ufffd\\u0000hB\ufffd\ufffd\ufffd\u0273\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd+\\u000b~\ufffdm\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\ufffd\\n\\u0013\\u0004\ufffd+\\u0013\\u0003\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\\u0011\ufffd#\\u0000\\n\ufffd\\t\\u0000\/\ufffd\\b\\u0000\u003C\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000E\\u0000=\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000k\\u0000A\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\\u0007\\u0000g\\u0000\\u0004\\u00003\\u0000\\u0005\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd**\\u0000\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\\u0022vH}\\u0007\\nKs\ufffd\\u00076\\u0002Gs.$C\ufffd\ufffd\ufffdE\\u0005RQ\ufffd9\ufffdn\ufffd P8\ufffd9\u003C\ufffd\\u0000hB\ufffd\ufffd\ufffd\u0273\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd+\\u000b~\ufffdm\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f76dc34df87c5edb2845f846c18e36240fe50567\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\\u0022vH}\\u0007\\nKs\ufffd\\u00076\\u0002Gs.$C\ufffd\ufffd\ufffdE\\u0005RQ\ufffd9\ufffdn\ufffd P8\ufffd9\u003C\ufffd\\u0000hB\ufffd\ufffd\ufffd\u0273\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd+\\u000b~\ufffdm\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\\u0022vH}\\nKs\ufffd6Gs.$C\ufffd\ufffd\ufffdERQ\ufffd9\ufffdn\ufffd P8\ufffd9\u003C\ufffdhB\ufffd\ufffd\ufffd\u0273\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd+~\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\\u0022vH}\\u0007\\nKs\ufffd\\u00076\\u0002Gs.$C\ufffd\ufffd\ufffdE\\u0005RQ\ufffd9\ufffdn\ufffd P8\ufffd9\u003C\ufffd\\u0000hB\ufffd\ufffd\ufffd\u0273\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd+\\u000b~\ufffdm\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\\u0022vH}\\nKs\ufffd6Gs.$C\ufffd\ufffd\ufffdERQ\ufffd9\ufffdn\ufffd P8\ufffd9\u003C\ufffdhB\ufffd\ufffd\ufffd\u0273\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd+~\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":439},{"id":9528163,"ip":"82.102.31.6","ts":"2026-06-17 22:50:26.000000","proto":"tcp","src_port":53370,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 426, \u0022payload_entropy\u0022: 5.946275313031574, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002215075190b4519c182dc4fa44840f9f5a\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0015\\u0004N\\u0017\ufffdy\\u000b8\u003EP\\u0013\\u0007\u0027MK\ufffd\u068e\u036d\\u0014p\\\u0022.\u06e5\ufffd\\u001b\ufffd [S-\ufffd\ufffd\ufffd\\u0013\ufffdn\\r{\ufffd\ufffdY\ufffdq\ufffd\\u0002\ufffd\ufffd\u0147d\ufffd\ufffd\ufffd\ufffdCE\u00d0\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0015\\u0004N\\u0017\ufffdy\\u000b8\u003EP\\u0013\\u0007\u0027MK\ufffd\u068e\u036d\\u0014p\\\u0022.\u06e5\ufffd\\u001b\ufffd [S-\ufffd\ufffd\ufffd\\u0013\ufffdn\\r{\ufffd\ufffdY\ufffdq\ufffd\\u0002\ufffd\ufffd\u0147d\ufffd\ufffd\ufffd\ufffdCE\u00d0\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\ufffdv\ufffda\ufffd`\ufffd0\ufffd(\ufffd\\u0014\ufffd\/\ufffd\u0027\ufffd\\u0013\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0015\\u0004N\\u0017\ufffdy\\u000b8\u003EP\\u0013\\u0007\u0027MK\ufffd\u068e\u036d\\u0014p\\\u0022.\u06e5\ufffd\\u001b\ufffd [S-\ufffd\ufffd\ufffd\\u0013\ufffdn\\r{\ufffd\ufffdY\ufffdq\ufffd\\u0002\ufffd\ufffd\u0147d\ufffd\ufffd\ufffd\ufffdCE\u00d0\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002267a4c50064804ef6b15b2943de23d5e032a3d35a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0015\\u0004N\\u0017\ufffdy\\u000b8\u003EP\\u0013\\u0007\u0027MK\ufffd\u068e\u036d\\u0014p\\\u0022.\u06e5\ufffd\\u001b\ufffd [S-\ufffd\ufffd\ufffd\\u0013\ufffdn\\r{\ufffd\ufffdY\ufffdq\ufffd\\u0002\ufffd\ufffd\u0147d\ufffd\ufffd\ufffd\ufffdCE\u00d0\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdN\ufffdy8\u003EP\u0027MK\ufffd\u068e\u036dp\\\u0022.\u06e5\ufffd\ufffd [S-\ufffd\ufffd\ufffd\ufffdn\\r{\ufffd\ufffdY\ufffdq\ufffd\ufffd\ufffd\u0147d\ufffd\ufffd\ufffd\ufffdCE\u00d0\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0015\\u0004N\\u0017\ufffdy\\u000b8\u003EP\\u0013\\u0007\u0027MK\ufffd\u068e\u036d\\u0014p\\\u0022.\u06e5\ufffd\\u001b\ufffd [S-\ufffd\ufffd\ufffd\\u0013\ufffdn\\r{\ufffd\ufffdY\ufffdq\ufffd\\u0002\ufffd\ufffd\u0147d\ufffd\ufffd\ufffd\ufffdCE\u00d0\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdN\ufffdy8\u003EP\u0027MK\ufffd\u068e\u036dp\\\u0022.\u06e5\ufffd\ufffd [S-\ufffd\ufffd\ufffd\ufffdn\\r{\ufffd\ufffdY\ufffdq\ufffd\ufffd\ufffd\u0147d\ufffd\ufffd\ufffd\ufffdCE\u00d0\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":426},{"id":9528164,"ip":"82.102.31.6","ts":"2026-06-17 22:50:26.000000","proto":"tcp","src_port":53386,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 416, \u0022payload_entropy\u0022: 5.977133152221018, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228ff3251b3d1a3bec25e1707835707187\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdL]\u019c\ufffd{l\ufffd\ufffd\ufffd\/o\ufffd\\u000bn\ufffd\ufffd\ufffd\u0027\ufffd\ufffd~;O%\ufffdP\ufffd(1\ufffd \\u0012\ufffd\ufffdh\ufffd\\u0017\ufffd\ufffd:\ufffd:D\ufffdp\\u0012\\u001fj\\\\\\u0017{\\u0015\ufffdJ\\u0000\ufffdrq!\ufffd\\u0019?\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdL]\u019c\ufffd{l\ufffd\ufffd\ufffd\/o\ufffd\\u000bn\ufffd\ufffd\ufffd\u0027\ufffd\ufffd~;O%\ufffdP\ufffd(1\ufffd \\u0012\ufffd\ufffdh\ufffd\\u0017\ufffd\ufffd:\ufffd:D\ufffdp\\u0012\\u001fj\\\\\\u0017{\\u0015\ufffdJ\\u0000\ufffdrq!\ufffd\\u0019?\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdL]\u019c\ufffd{l\ufffd\ufffd\ufffd\/o\ufffd\\u000bn\ufffd\ufffd\ufffd\u0027\ufffd\ufffd~;O%\ufffdP\ufffd(1\ufffd \\u0012\ufffd\ufffdh\ufffd\\u0017\ufffd\ufffd:\ufffd:D\ufffdp\\u0012\\u001fj\\\\\\u0017{\\u0015\ufffdJ\\u0000\ufffdrq!\ufffd\\u0019?\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002224a391e7951f57670510d7d81c5cbaf7c432aa51\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdL]\u019c\ufffd{l\ufffd\ufffd\ufffd\/o\ufffd\\u000bn\ufffd\ufffd\ufffd\u0027\ufffd\ufffd~;O%\ufffdP\ufffd(1\ufffd \\u0012\ufffd\ufffdh\ufffd\\u0017\ufffd\ufffd:\ufffd:D\ufffdp\\u0012\\u001fj\\\\\\u0017{\\u0015\ufffdJ\\u0000\ufffdrq!\ufffd\\u0019?\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdL]\u019c\ufffd{l\ufffd\ufffd\ufffd\/o\ufffdn\ufffd\ufffd\ufffd\u0027\ufffd\ufffd~;O%\ufffdP\ufffd(1\ufffd \ufffd\ufffdh\ufffd\ufffd\ufffd:\ufffd:D\ufffdpj\\\\{\ufffdJ\ufffdrq!\ufffd?\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdL]\u019c\ufffd{l\ufffd\ufffd\ufffd\/o\ufffd\\u000bn\ufffd\ufffd\ufffd\u0027\ufffd\ufffd~;O%\ufffdP\ufffd(1\ufffd \\u0012\ufffd\ufffdh\ufffd\\u0017\ufffd\ufffd:\ufffd:D\ufffdp\\u0012\\u001fj\\\\\\u0017{\\u0015\ufffdJ\\u0000\ufffdrq!\ufffd\\u0019?\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdL]\u019c\ufffd{l\ufffd\ufffd\ufffd\/o\ufffdn\ufffd\ufffd\ufffd\u0027\ufffd\ufffd~;O%\ufffdP\ufffd(1\ufffd \ufffd\ufffdh\ufffd\ufffd\ufffd:\ufffd:D\ufffdpj\\\\{\ufffdJ\ufffdrq!\ufffd?\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":416},{"id":9528162,"ip":"82.102.31.6","ts":"2026-06-17 22:50:25.000000","proto":"tcp","src_port":53362,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 426, \u0022payload_entropy\u0022: 6.0422452002522995, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221f35bf86dd9338a10c6840d3b6fc745f\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffdF\u0123M4w\ufffd^\u044f\ufffd\ufffdl\\u0016@\ufffd%Pm\\u0015\ufffd\ufffd\u0027\ufffd\ufffd5\ufffd= \ufffd\\u000e\ufffd\ufffd_\\u0018\\u0003\u0209\\u0014?\ufffd\\u001e\\u0018U)\ufffd\u066b\ufffd\\\u0022\ufffd[\ufffd\ufffd\\u0004Rma\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffdF\u0123M4w\ufffd^\u044f\ufffd\ufffdl\\u0016@\ufffd%Pm\\u0015\ufffd\ufffd\u0027\ufffd\ufffd5\ufffd= \ufffd\\u000e\ufffd\ufffd_\\u0018\\u0003\u0209\\u0014?\ufffd\\u001e\\u0018U)\ufffd\u066b\ufffd\\\u0022\ufffd[\ufffd\ufffd\\u0004Rma\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffdF\u0123M4w\ufffd^\u044f\ufffd\ufffdl\\u0016@\ufffd%Pm\\u0015\ufffd\ufffd\u0027\ufffd\ufffd5\ufffd= \ufffd\\u000e\ufffd\ufffd_\\u0018\\u0003\u0209\\u0014?\ufffd\\u001e\\u0018U)\ufffd\u066b\ufffd\\\u0022\ufffd[\ufffd\ufffd\\u0004Rma\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022195091ff84fe6b8b485c19cb3f9b6307d1494c9e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffdF\u0123M4w\ufffd^\u044f\ufffd\ufffdl\\u0016@\ufffd%Pm\\u0015\ufffd\ufffd\u0027\ufffd\ufffd5\ufffd= \ufffd\\u000e\ufffd\ufffd_\\u0018\\u0003\u0209\\u0014?\ufffd\\u001e\\u0018U)\ufffd\u066b\ufffd\\\u0022\ufffd[\ufffd\ufffd\\u0004Rma\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffdF\u0123M4w\ufffd^\u044f\ufffd\ufffdl@\ufffd%Pm\ufffd\ufffd\u0027\ufffd\ufffd5\ufffd= \ufffd\ufffd\ufffd_\u0209?\ufffdU)\ufffd\u066b\ufffd\\\u0022\ufffd[\ufffd\ufffdRma\ufffd\ufffd\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffdF\u0123M4w\ufffd^\u044f\ufffd\ufffdl\\u0016@\ufffd%Pm\\u0015\ufffd\ufffd\u0027\ufffd\ufffd5\ufffd= \ufffd\\u000e\ufffd\ufffd_\\u0018\\u0003\u0209\\u0014?\ufffd\\u001e\\u0018U)\ufffd\u066b\ufffd\\\u0022\ufffd[\ufffd\ufffd\\u0004Rma\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffdF\u0123M4w\ufffd^\u044f\ufffd\ufffdl@\ufffd%Pm\ufffd\ufffd\u0027\ufffd\ufffd5\ufffd= \ufffd\ufffd\ufffd_\u0209?\ufffdU)\ufffd\u066b\ufffd\\\u0022\ufffd[\ufffd\ufffdRma\ufffd\ufffd\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":426},{"id":9528161,"ip":"82.102.31.6","ts":"2026-06-17 22:50:24.000000","proto":"tcp","src_port":53346,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 413, \u0022payload_entropy\u0022: 6.001233082779773, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d4b3297cd2f61c47c05f747da0a3bf21\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\\u0001TW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\\r\ufffd\ufffd\ufffdu\ufffd\\u0018B\\u001f\ufffd6-b\ufffd\ufffd.\ufffdj\ufffd \ufffd\ufffd:\\u0002\ufffd\ufffd6\ufffd\\n\ufffd\ufffd\\u001d\ufffd\ufffd=\ufffd;,\ufffd+\ufffdQve\ufffd 1\ufffd#s\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\\u0001TW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\\r\ufffd\ufffd\ufffdu\ufffd\\u0018B\\u001f\ufffd6-b\ufffd\ufffd.\ufffdj\ufffd \ufffd\ufffd:\\u0002\ufffd\ufffd6\ufffd\\n\ufffd\ufffd\\u001d\ufffd\ufffd=\ufffd;,\ufffd+\ufffdQve\ufffd 1\ufffd#s\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\\u0001TW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\\r\ufffd\ufffd\ufffdu\ufffd\\u0018B\\u001f\ufffd6-b\ufffd\ufffd.\ufffdj\ufffd \ufffd\ufffd:\\u0002\ufffd\ufffd6\ufffd\\n\ufffd\ufffd\\u001d\ufffd\ufffd=\ufffd;,\ufffd+\ufffdQve\ufffd 1\ufffd#s\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225da3b1bf4c9f7ccb40211b362946ca080482f309\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\\u0001TW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\\r\ufffd\ufffd\ufffdu\ufffd\\u0018B\\u001f\ufffd6-b\ufffd\ufffd.\ufffdj\ufffd \ufffd\ufffd:\\u0002\ufffd\ufffd6\ufffd\\n\ufffd\ufffd\\u001d\ufffd\ufffd=\ufffd;,\ufffd+\ufffdQve\ufffd 1\ufffd#s\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdTW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\\r\ufffd\ufffd\ufffdu\ufffdB\ufffd6-b\ufffd\ufffd.\ufffdj\ufffd \ufffd\ufffd:\ufffd\ufffd6\ufffd\\n\ufffd\ufffd\ufffd\ufffd=\ufffd;,\ufffd+\ufffdQve\ufffd 1\ufffd#s\ufffd\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002\\u0001TW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\\r\ufffd\ufffd\ufffdu\ufffd\\u0018B\\u001f\ufffd6-b\ufffd\ufffd.\ufffdj\ufffd \ufffd\ufffd:\\u0002\ufffd\ufffd6\ufffd\\n\ufffd\ufffd\\u001d\ufffd\ufffd=\ufffd;,\ufffd+\ufffdQve\ufffd 1\ufffd#s\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdTW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\\r\ufffd\ufffd\ufffdu\ufffdB\ufffd6-b\ufffd\ufffd.\ufffdj\ufffd \ufffd\ufffd:\ufffd\ufffd6\ufffd\\n\ufffd\ufffd\ufffd\ufffd=\ufffd;,\ufffd+\ufffdQve\ufffd 1\ufffd#s\ufffd\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":413},{"id":9528160,"ip":"82.102.31.6","ts":"2026-06-17 22:50:23.000000","proto":"tcp","src_port":53330,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 412, \u0022payload_entropy\u0022: 5.97585593218372, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e052beb6c23aaf16c165935568316db9\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\/\ufffdeF\\u0013\ufffd\ufffd\ufffdE\ufffd\\u00131\u0763\ufffd\u003C\\u001a\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdiwL\ufffd\\u000f \ufffdN\uf665\ufffd\\u0002a\ufffd\\u001fC\ufffdwge\ufffd\ufffdK\\u0012\ufffd\ufffdj.0\ufffd4\ufffd}dh!\\u0000\ufffdZZ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\/\ufffdeF\\u0013\ufffd\ufffd\ufffdE\ufffd\\u00131\u0763\ufffd\u003C\\u001a\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdiwL\ufffd\\u000f \ufffdN\uf665\ufffd\\u0002a\ufffd\\u001fC\ufffdwge\ufffd\ufffdK\\u0012\ufffd\ufffdj.0\ufffd4\ufffd}dh!\\u0000\ufffdZZ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\ufffd\\n\\u0013\\u0004\ufffd+\\u0013\\u0003\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\\u0011\ufffd#\\u0000\\n\ufffd\\t\\u0000\/\ufffd\\b\\u0000\u003C\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000E\\u0000=\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000k\\u0000A\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\\u0007\\u0000g\\u0000\\u0004\\u00003\\u0000\\u0005\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd::\\u0000\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\/\ufffdeF\\u0013\ufffd\ufffd\ufffdE\ufffd\\u00131\u0763\ufffd\u003C\\u001a\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdiwL\ufffd\\u000f \ufffdN\uf665\ufffd\\u0002a\ufffd\\u001fC\ufffdwge\ufffd\ufffdK\\u0012\ufffd\ufffdj.0\ufffd4\ufffd}dh!\\u0000\ufffdZZ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\/\ufffdeF\\u0013\ufffd\ufffd\ufffdE\ufffd\\u00131\u0763\ufffd\u003C\\u001a\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdiwL\ufffd\\u000f \ufffdN\uf665\ufffd\\u0002a\ufffd\\u001fC\ufffdwge\ufffd\ufffdK\\u0012\ufffd\ufffdj.0\ufffd4\ufffd}dh!\\u0000\ufffdZZ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\ufffd\\n\\u0013\\u0004\ufffd+\\u0013\\u0003\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\\u0011\ufffd#\\u0000\\n\ufffd\\t\\u0000\/\ufffd\\b\\u0000\u003C\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000E\\u0000=\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000k\\u0000A\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\\u0007\\u0000g\\u0000\\u0004\\u00003\\u0000\\u0005\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd::\\u0000\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\/\ufffdeF\\u0013\ufffd\ufffd\ufffdE\ufffd\\u00131\u0763\ufffd\u003C\\u001a\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdiwL\ufffd\\u000f \ufffdN\uf665\ufffd\\u0002a\ufffd\\u001fC\ufffdwge\ufffd\ufffdK\\u0012\ufffd\ufffdj.0\ufffd4\ufffd}dh!\\u0000\ufffdZZ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225c80cc5f8e1b9ae15d4a536f6eaa06cbc0d911a0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\/\ufffdeF\\u0013\ufffd\ufffd\ufffdE\ufffd\\u00131\u0763\ufffd\u003C\\u001a\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdiwL\ufffd\\u000f \ufffdN\uf665\ufffd\\u0002a\ufffd\\u001fC\ufffdwge\ufffd\ufffdK\\u0012\ufffd\ufffdj.0\ufffd4\ufffd}dh!\\u0000\ufffdZZ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\/\ufffdeF\ufffd\ufffd\ufffdE\ufffd1\u0763\ufffd\u003C\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdiwL\ufffd \ufffdN\uf665\ufffda\ufffdC\ufffdwge\ufffd\ufffdK\ufffd\ufffdj.0\ufffd4\ufffd}dh!\ufffdZZ\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\/\ufffdeF\\u0013\ufffd\ufffd\ufffdE\ufffd\\u00131\u0763\ufffd\u003C\\u001a\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdiwL\ufffd\\u000f \ufffdN\uf665\ufffd\\u0002a\ufffd\\u001fC\ufffdwge\ufffd\ufffdK\\u0012\ufffd\ufffdj.0\ufffd4\ufffd}dh!\\u0000\ufffdZZ\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\/\ufffdeF\ufffd\ufffd\ufffdE\ufffd1\u0763\ufffd\u003C\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdiwL\ufffd \ufffdN\uf665\ufffda\ufffdC\ufffdwge\ufffd\ufffdK\ufffd\ufffdj.0\ufffd4\ufffd}dh!\ufffdZZ\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":412},{"id":9528157,"ip":"82.102.31.6","ts":"2026-06-17 22:50:22.000000","proto":"tcp","src_port":33998,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 345, \u0022payload_entropy\u0022: 6.06039843922831, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022594f027c3e5d6bf2c187c40da436f9f1\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\\u0013\\u000f\ufffdc\ufffdDh\ufffdo\ufffdZm\ufffd\ufffd\u950a\ufffd\\n8\\u0006x\ufffd)5\ufffd\ufffd\ufffdwF M\\nw\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd\ufffdVz\\u0012\ufffd\ufffd\ufffd\ufffd]xd\ufffd\ufffdJ\\u001b\ufffd\ufffd\ufffd\\u001f5\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\\u0013\\u000f\ufffdc\ufffdDh\ufffdo\ufffdZm\ufffd\ufffd\u950a\ufffd\\n8\\u0006x\ufffd)5\ufffd\ufffd\ufffdwF M\\nw\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd\ufffdVz\\u0012\ufffd\ufffd\ufffd\ufffd]xd\ufffd\ufffdJ\\u001b\ufffd\ufffd\ufffd\\u001f5\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0010\\u0000\u003C\\u0000:\\bhttp\/0.9\\bhttp\/1.0\\bhttp\/1.1\\u0006spdy\/1\\u0006spdy\/2\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\\u0013\\u000f\ufffdc\ufffdDh\ufffdo\ufffdZm\ufffd\ufffd\u950a\ufffd\\n8\\u0006x\ufffd)5\ufffd\ufffd\ufffdwF M\\nw\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd\ufffdVz\\u0012\ufffd\ufffd\ufffd\ufffd]xd\ufffd\ufffdJ\\u001b\ufffd\ufffd\ufffd\\u001f5\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cd88eff98cfa292328537c978285e68cec2e6681\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\\u0013\\u000f\ufffdc\ufffdDh\ufffdo\ufffdZm\ufffd\ufffd\u950a\ufffd\\n8\\u0006x\ufffd)5\ufffd\ufffd\ufffdwF M\\nw\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd\ufffdVz\\u0012\ufffd\ufffd\ufffd\ufffd]xd\ufffd\ufffdJ\\u001b\ufffd\ufffd\ufffd\\u001f5\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022TP\ufffdc\ufffdDh\ufffdo\ufffdZm\ufffd\ufffd\u950a\ufffd\\n8x\ufffd)5\ufffd\ufffd\ufffdwF M\\nw\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd\ufffdVz\ufffd\ufffd\ufffd\ufffd]xd\ufffd\ufffdJ\ufffd\ufffd\ufffd5F\ufffd\ufffd\ufffd\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\\u0013\\u000f\ufffdc\ufffdDh\ufffdo\ufffdZm\ufffd\ufffd\u950a\ufffd\\n8\\u0006x\ufffd)5\ufffd\ufffd\ufffdwF M\\nw\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd\ufffdVz\\u0012\ufffd\ufffd\ufffd\ufffd]xd\ufffd\ufffdJ\\u001b\ufffd\ufffd\ufffd\\u001f5\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TP\ufffdc\ufffdDh\ufffdo\ufffdZm\ufffd\ufffd\u950a\ufffd\\n8x\ufffd)5\ufffd\ufffd\ufffdwF M\\nw\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd\ufffdVz\ufffd\ufffd\ufffd\ufffd]xd\ufffd\ufffdJ\ufffd\ufffd\ufffd5F\ufffd\ufffd\ufffd\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":345},{"id":9528158,"ip":"82.102.31.6","ts":"2026-06-17 22:50:22.000000","proto":"tcp","src_port":34000,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 331, \u0022payload_entropy\u0022: 6.0194101700165925, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002271c822283008552ba4065b6fbcb44dc6\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003z\ufffd;m\ufffd\ufffd\ufffdp\ufffd\ufffd*8\ufffd\ufffdNEv\ufffd\ufffd\ufffdI\\u0000s\ufffdB\ufffdfD\ufffd)\ufffd\u0027 \ufffdk\ufffdJ0\ufffd\u003E\ufffdN\ufffdA-\\\\\ufffd\ufffd\ufffd\ufffdg\\u000f\ufffd8\ufffd\ufffd\\u0011\ufffd\u0026\ufffd\\u0012\ufffd\ufffd\ufffd\ufffd\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003z\ufffd;m\ufffd\ufffd\ufffdp\ufffd\ufffd*8\ufffd\ufffdNEv\ufffd\ufffd\ufffdI\\u0000s\ufffdB\ufffdfD\ufffd)\ufffd\u0027 \ufffdk\ufffdJ0\ufffd\u003E\ufffdN\ufffdA-\\\\\ufffd\ufffd\ufffd\ufffdg\\u000f\ufffd8\ufffd\ufffd\\u0011\ufffd\u0026\ufffd\\u0012\ufffd\ufffd\ufffd\ufffd\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0010\\u00000\\u0000.\\bhttp\/0.9\\bhttp\/1.0\\u0006spdy\/1\\u0006spdy\/2\\u0006spdy\/3\\u0003h2c\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003z\ufffd;m\ufffd\ufffd\ufffdp\ufffd\ufffd*8\ufffd\ufffdNEv\ufffd\ufffd\ufffdI\\u0000s\ufffdB\ufffdfD\ufffd)\ufffd\u0027 \ufffdk\ufffdJ0\ufffd\u003E\ufffdN\ufffdA-\\\\\ufffd\ufffd\ufffd\ufffdg\\u000f\ufffd8\ufffd\ufffd\\u0011\ufffd\u0026\ufffd\\u0012\ufffd\ufffd\ufffd\ufffd\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e9009e4b7b46064248b7bd468522d6333c9324f4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003z\ufffd;m\ufffd\ufffd\ufffdp\ufffd\ufffd*8\ufffd\ufffdNEv\ufffd\ufffd\ufffdI\\u0000s\ufffdB\ufffdfD\ufffd)\ufffd\u0027 \ufffdk\ufffdJ0\ufffd\u003E\ufffdN\ufffdA-\\\\\ufffd\ufffd\ufffd\ufffdg\\u000f\ufffd8\ufffd\ufffd\\u0011\ufffd\u0026\ufffd\\u0012\ufffd\ufffd\ufffd\ufffd\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022FBz\ufffd;m\ufffd\ufffd\ufffdp\ufffd\ufffd*8\ufffd\ufffdNEv\ufffd\ufffd\ufffdIs\ufffdB\ufffdfD\ufffd)\ufffd\u0027 \ufffdk\ufffdJ0\ufffd\u003E\ufffdN\ufffdA-\\\\\ufffd\ufffd\ufffd\ufffdg\ufffd8\ufffd\ufffd\ufffd\u0026\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffd\ufffd\u0027\ufffd\/\ufffd\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\ufffd\ufffd\\n\/\u003C\ufffd\ufffd\ufffd\ufffd\ufffd5=\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003z\ufffd;m\ufffd\ufffd\ufffdp\ufffd\ufffd*8\ufffd\ufffdNEv\ufffd\ufffd\ufffdI\\u0000s\ufffdB\ufffdfD\ufffd)\ufffd\u0027 \ufffdk\ufffdJ0\ufffd\u003E\ufffdN\ufffdA-\\\\\ufffd\ufffd\ufffd\ufffdg\\u000f\ufffd8\ufffd\ufffd\\u0011\ufffd\u0026\ufffd\\u0012\ufffd\ufffd\ufffd\ufffd\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022FBz\ufffd;m\ufffd\ufffd\ufffdp\ufffd\ufffd*8\ufffd\ufffdNEv\ufffd\ufffd\ufffdIs\ufffdB\ufffdfD\ufffd)\ufffd\u0027 \ufffdk\ufffdJ0\ufffd\u003E\ufffdN\ufffdA-\\\\\ufffd\ufffd\ufffd\ufffdg\ufffd8\ufffd\ufffd\ufffd\u0026\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffd\ufffd\u0027\ufffd\/\ufffd\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\ufffd\ufffd\\n\/\u003C\ufffd\ufffd\ufffd\ufffd\ufffd5=\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":331},{"id":9528155,"ip":"82.102.31.6","ts":"2026-06-17 22:50:21.000000","proto":"tcp","src_port":33992,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 424, \u0022payload_entropy\u0022: 5.948540063860328, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c0171f38ccaaf85eb59c3fe654d04893\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003K\ufffdk\ufffdj\u0027Pk+\ufffd\ufffd\ufffd\u07f7?\ufffd\ufffd\ufffd}\ufffd\ufffd\u0026\ufffd);\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\\u0006\\u0003\ufffd\u06461\ufffdUn\\u0007\ufffd*\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u033f^\\u0019\\u0014l\ufffdNd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003K\ufffdk\ufffdj\u0027Pk+\ufffd\ufffd\ufffd\u07f7?\ufffd\ufffd\ufffd}\ufffd\ufffd\u0026\ufffd);\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\\u0006\\u0003\ufffd\u06461\ufffdUn\\u0007\ufffd*\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u033f^\\u0019\\u0014l\ufffdNd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\ufffdv\ufffda\ufffd`\ufffd0\ufffd(\ufffd\\u0014\ufffd\/\ufffd\u0027\ufffd\\u0013\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003K\ufffdk\ufffdj\u0027Pk+\ufffd\ufffd\ufffd\u07f7?\ufffd\ufffd\ufffd}\ufffd\ufffd\u0026\ufffd);\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\\u0006\\u0003\ufffd\u06461\ufffdUn\\u0007\ufffd*\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u033f^\\u0019\\u0014l\ufffdNd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b8444ef1ff75239c5d4985260c2ccaacba996e57\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003K\ufffdk\ufffdj\u0027Pk+\ufffd\ufffd\ufffd\u07f7?\ufffd\ufffd\ufffd}\ufffd\ufffd\u0026\ufffd);\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\\u0006\\u0003\ufffd\u06461\ufffdUn\\u0007\ufffd*\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u033f^\\u0019\\u0014l\ufffdNd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdK\ufffdk\ufffdj\u0027Pk+\ufffd\ufffd\ufffd\u07f7?\ufffd\ufffd\ufffd}\ufffd\ufffd\u0026\ufffd);\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\u06461\ufffdUn\ufffd*\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u033f^l\ufffdNd\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003K\ufffdk\ufffdj\u0027Pk+\ufffd\ufffd\ufffd\u07f7?\ufffd\ufffd\ufffd}\ufffd\ufffd\u0026\ufffd);\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\\u0006\\u0003\ufffd\u06461\ufffdUn\\u0007\ufffd*\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u033f^\\u0019\\u0014l\ufffdNd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdK\ufffdk\ufffdj\u0027Pk+\ufffd\ufffd\ufffd\u07f7?\ufffd\ufffd\ufffd}\ufffd\ufffd\u0026\ufffd);\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\u06461\ufffdUn\ufffd*\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u033f^l\ufffdNd\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":424},{"id":9528154,"ip":"82.102.31.6","ts":"2026-06-17 22:50:20.000000","proto":"tcp","src_port":33976,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 424, \u0022payload_entropy\u0022: 5.94785378477892, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002283b14edcc4a2d8452ba1dd25c265899c\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0014Mg\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdF\ufffd\\u001f\\u001c\ufffda\\u0007\ufffd`\ufffd\ufffd\ufffd\\u0011\ufffd\\u0010\\u001e\ufffd \ufffd\ufffd\ufffd(\ufffd\u0669Y\ufffdy\\u0001\ufffd;u\ufffd0\\u0003\\\\\ufffd\ufffd\ufffd\ufffd3\ufffd-i\ufffdV\\u0005\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0014Mg\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdF\ufffd\\u001f\\u001c\ufffda\\u0007\ufffd`\ufffd\ufffd\ufffd\\u0011\ufffd\\u0010\\u001e\ufffd \ufffd\ufffd\ufffd(\ufffd\u0669Y\ufffdy\\u0001\ufffd;u\ufffd0\\u0003\\\\\ufffd\ufffd\ufffd\ufffd3\ufffd-i\ufffdV\\u0005\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0014Mg\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdF\ufffd\\u001f\\u001c\ufffda\\u0007\ufffd`\ufffd\ufffd\ufffd\\u0011\ufffd\\u0010\\u001e\ufffd \ufffd\ufffd\ufffd(\ufffd\u0669Y\ufffdy\\u0001\ufffd;u\ufffd0\\u0003\\\\\ufffd\ufffd\ufffd\ufffd3\ufffd-i\ufffdV\\u0005\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224db4549689f99cf539d6e6e23691380cb52df87b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0014Mg\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdF\ufffd\\u001f\\u001c\ufffda\\u0007\ufffd`\ufffd\ufffd\ufffd\\u0011\ufffd\\u0010\\u001e\ufffd \ufffd\ufffd\ufffd(\ufffd\u0669Y\ufffdy\\u0001\ufffd;u\ufffd0\\u0003\\\\\ufffd\ufffd\ufffd\ufffd3\ufffd-i\ufffdV\\u0005\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdMg\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdF\ufffd\ufffda\ufffd`\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd(\ufffd\u0669Y\ufffdy\ufffd;u\ufffd0\\\\\ufffd\ufffd\ufffd\ufffd3\ufffd-i\ufffdV\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0014Mg\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdF\ufffd\\u001f\\u001c\ufffda\\u0007\ufffd`\ufffd\ufffd\ufffd\\u0011\ufffd\\u0010\\u001e\ufffd \ufffd\ufffd\ufffd(\ufffd\u0669Y\ufffdy\\u0001\ufffd;u\ufffd0\\u0003\\\\\ufffd\ufffd\ufffd\ufffd3\ufffd-i\ufffdV\\u0005\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdMg\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdF\ufffd\ufffda\ufffd`\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd(\ufffd\u0669Y\ufffdy\ufffd;u\ufffd0\\\\\ufffd\ufffd\ufffd\ufffd3\ufffd-i\ufffdV\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":424},{"id":9528153,"ip":"82.102.31.6","ts":"2026-06-17 22:50:18.000000","proto":"tcp","src_port":33972,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 3.933837254464351, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002215b29278109c12ee7939874c65fd21ed\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\t+\ufffd\u0189%U\ufffdG.U}\ufffd`\ufffd\ufffd\ufffdT+!\\b\ufffd\ufffdg\ufffd\ufffdm 7+\u003C\ufffdd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffdi\ufffd\ufffd\ufffdg\\r\\u0019\u00e7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd5Y\ufffd\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\t+\ufffd\u0189%U\ufffdG.U}\ufffd`\ufffd\ufffd\ufffdT+!\\b\ufffd\ufffdg\ufffd\ufffdm 7+\u003C\ufffdd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffdi\ufffd\ufffd\ufffdg\\r\\u0019\u00e7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd5Y\ufffd\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\\u0000\ufffd\\u0000=\\u0000\u003C\\u00005\\u0000\/\\u0000\ufffd\\u0001\\u0000\\u0001u\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\\u0003\\u0001\\u0003\\u0002\\u0004\\u0002\\u0005\\u0002\\u0006\\u0002\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u0000-\\u0000\\u0002\\u0001\\u0001\\u00003\\u0000\u0026\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\t+\ufffd\u0189%U\ufffdG.U}\ufffd`\ufffd\ufffd\ufffdT+!\\b\ufffd\ufffdg\ufffd\ufffdm 7+\u003C\ufffdd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffdi\ufffd\ufffd\ufffdg\\r\\u0019\u00e7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd5Y\ufffd\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221ec51f371a68e563e6c10b161e2691a18f739b52\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\t+\ufffd\u0189%U\ufffdG.U}\ufffd`\ufffd\ufffd\ufffdT+!\\b\ufffd\ufffdg\ufffd\ufffdm 7+\u003C\ufffdd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffdi\ufffd\ufffd\ufffdg\\r\\u0019\u00e7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd5Y\ufffd\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\\t+\ufffd\u0189%U\ufffdG.U}\ufffd`\ufffd\ufffd\ufffdT+!\ufffd\ufffdg\ufffd\ufffdm 7+\u003C\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffdg\\r\u00e7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd5Y\ufffd\ufffd\ufffd\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\t+\ufffd\u0189%U\ufffdG.U}\ufffd`\ufffd\ufffd\ufffdT+!\\b\ufffd\ufffdg\ufffd\ufffdm 7+\u003C\ufffdd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffdi\ufffd\ufffd\ufffdg\\r\\u0019\u00e7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd5Y\ufffd\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\\t+\ufffd\u0189%U\ufffdG.U}\ufffd`\ufffd\ufffd\ufffdT+!\ufffd\ufffdg\ufffd\ufffdm 7+\u003C\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffdg\\r\u00e7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd5Y\ufffd\ufffd\ufffd\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":517},{"id":9424019,"ip":"82.102.31.6","ts":"2026-06-16 21:16:54.000000","proto":"tcp","src_port":59304,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 416, \u0022payload_entropy\u0022: 5.989674623978745, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f8988da843545aee745907bd16801c54\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0019\ufffd\ufffd-\\\u0022\\u000f\ufffd\u045a9\\u0007\ufffdi\ufffd\\u0016\\u001eo\ufffd\ufffdV\\u0011_\u0026\\u0019!v\\u000b\u003EG?\\\u00221 v\ufffd\ufffdRy\ufffd[}t]\ufffdDO\ufffd\ufffd`t\u0026\ufffd,\ufffd\ufffds\ufffd\\u0001\ufffd\ufffd3\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0019\ufffd\ufffd-\\\u0022\\u000f\ufffd\u045a9\\u0007\ufffdi\ufffd\\u0016\\u001eo\ufffd\ufffdV\\u0011_\u0026\\u0019!v\\u000b\u003EG?\\\u00221 v\ufffd\ufffdRy\ufffd[}t]\ufffdDO\ufffd\ufffd`t\u0026\ufffd,\ufffd\ufffds\ufffd\\u0001\ufffd\ufffd3\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0019\ufffd\ufffd-\\\u0022\\u000f\ufffd\u045a9\\u0007\ufffdi\ufffd\\u0016\\u001eo\ufffd\ufffdV\\u0011_\u0026\\u0019!v\\u000b\u003EG?\\\u00221 v\ufffd\ufffdRy\ufffd[}t]\ufffdDO\ufffd\ufffd`t\u0026\ufffd,\ufffd\ufffds\ufffd\\u0001\ufffd\ufffd3\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b6cadd769988e38598efb70eabc6245bc758c5e0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0019\ufffd\ufffd-\\\u0022\\u000f\ufffd\u045a9\\u0007\ufffdi\ufffd\\u0016\\u001eo\ufffd\ufffdV\\u0011_\u0026\\u0019!v\\u000b\u003EG?\\\u00221 v\ufffd\ufffdRy\ufffd[}t]\ufffdDO\ufffd\ufffd`t\u0026\ufffd,\ufffd\ufffds\ufffd\\u0001\ufffd\ufffd3\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd-\\\u0022\ufffd\u045a9\ufffdi\ufffdo\ufffd\ufffdV_\u0026!v\u003EG?\\\u00221 v\ufffd\ufffdRy\ufffd[}t]\ufffdDO\ufffd\ufffd`t\u0026\ufffd,\ufffd\ufffds\ufffd\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0019\ufffd\ufffd-\\\u0022\\u000f\ufffd\u045a9\\u0007\ufffdi\ufffd\\u0016\\u001eo\ufffd\ufffdV\\u0011_\u0026\\u0019!v\\u000b\u003EG?\\\u00221 v\ufffd\ufffdRy\ufffd[}t]\ufffdDO\ufffd\ufffd`t\u0026\ufffd,\ufffd\ufffds\ufffd\\u0001\ufffd\ufffd3\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd-\\\u0022\ufffd\u045a9\ufffdi\ufffdo\ufffd\ufffdV_\u0026!v\u003EG?\\\u00221 v\ufffd\ufffdRy\ufffd[}t]\ufffdDO\ufffd\ufffd`t\u0026\ufffd,\ufffd\ufffds\ufffd\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":416},{"id":9424021,"ip":"82.102.31.6","ts":"2026-06-16 21:16:54.000000","proto":"tcp","src_port":38616,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 439, \u0022payload_entropy\u0022: 6.029110529863799, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002261d5509436af129fd797de05c257967a\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0019\\u0003\ufffd\\u0014\ufffd\\u001f\ufffd\ufffd\ufffd\ufffd\ufffdc*qt\ufffd\ufffd4P*\\u0019_R\\u000f\ufffdsKF \ufffd[\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffd g\ufffd\\u0006qT\ufffd!r\ufffd8\\u0011(\ufffd:\ufffdX\\u0002\\u0000\ufffd\\u000e]\ufffd\\u0000\ufffd::\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0019\\u0003\ufffd\\u0014\ufffd\\u001f\ufffd\ufffd\ufffd\ufffd\ufffdc*qt\ufffd\ufffd4P*\\u0019_R\\u000f\ufffdsKF \ufffd[\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffd g\ufffd\\u0006qT\ufffd!r\ufffd8\\u0011(\ufffd:\ufffdX\\u0002\\u0000\ufffd\\u000e]\ufffd\\u0000\ufffd::\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\ufffd\\n\\u0013\\u0004\ufffd+\\u0013\\u0003\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\\u0011\ufffd#\\u0000\\n\ufffd\\t\\u0000\/\ufffd\\b\\u0000\u003C\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000E\\u0000=\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000k\\u0000A\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\\u0007\\u0000g\\u0000\\u0004\\u00003\\u0000\\u0005\\u0000\\u0016\\u0001\\u0000\\u0000\u066a\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0019\\u0003\ufffd\\u0014\ufffd\\u001f\ufffd\ufffd\ufffd\ufffd\ufffdc*qt\ufffd\ufffd4P*\\u0019_R\\u000f\ufffdsKF \ufffd[\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffd g\ufffd\\u0006qT\ufffd!r\ufffd8\\u0011(\ufffd:\ufffdX\\u0002\\u0000\ufffd\\u000e]\ufffd\\u0000\ufffd::\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e3dc7b1bb80d66316f60527cfee1c81f8e69748d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0019\\u0003\ufffd\\u0014\ufffd\\u001f\ufffd\ufffd\ufffd\ufffd\ufffdc*qt\ufffd\ufffd4P*\\u0019_R\\u000f\ufffdsKF \ufffd[\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffd g\ufffd\\u0006qT\ufffd!r\ufffd8\\u0011(\ufffd:\ufffdX\\u0002\\u0000\ufffd\\u000e]\ufffd\\u0000\ufffd::\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdc*qt\ufffd\ufffd4P*_R\ufffdsKF \ufffd[\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffd g\ufffdqT\ufffd!r\ufffd8(\ufffd:\ufffdX\ufffd]\ufffd\ufffd::\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0019\\u0003\ufffd\\u0014\ufffd\\u001f\ufffd\ufffd\ufffd\ufffd\ufffdc*qt\ufffd\ufffd4P*\\u0019_R\\u000f\ufffdsKF \ufffd[\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffd g\ufffd\\u0006qT\ufffd!r\ufffd8\\u0011(\ufffd:\ufffdX\\u0002\\u0000\ufffd\\u000e]\ufffd\\u0000\ufffd::\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdc*qt\ufffd\ufffd4P*_R\ufffdsKF \ufffd[\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffd g\ufffdqT\ufffd!r\ufffd8(\ufffd:\ufffdX\ufffd]\ufffd\ufffd::\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":439},{"id":9424017,"ip":"82.102.31.6","ts":"2026-06-16 21:16:53.000000","proto":"tcp","src_port":59300,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 426, \u0022payload_entropy\u0022: 5.954355245355343, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022059f85768fabbe1d8aa0ef8f4fba1644\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\f\ufffdp\ufffd\\nXvy\\u0019\ufffd\ufffd\ufffd\\u0018\\u0014\ufffd\ufffd^\ufffd\\u0017\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\\u0017\ufffd\ufffd4n h\ufffd\ufffd\\u0007\ufffd\ufffdAcz\\u0007\\u0006\ufffdd\\u0019l\ufffd$O\ufffd\ufffd\ufffd\\u0017\\u0000r\ufffd\ufffd\\u001e\\f\ufffdk\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\f\ufffdp\ufffd\\nXvy\\u0019\ufffd\ufffd\ufffd\\u0018\\u0014\ufffd\ufffd^\ufffd\\u0017\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\\u0017\ufffd\ufffd4n h\ufffd\ufffd\\u0007\ufffd\ufffdAcz\\u0007\\u0006\ufffdd\\u0019l\ufffd$O\ufffd\ufffd\ufffd\\u0017\\u0000r\ufffd\ufffd\\u001e\\f\ufffdk\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\ufffdv\ufffda\ufffd`\ufffd0\ufffd(\ufffd\\u0014\ufffd\/\ufffd\u0027\ufffd\\u0013\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\f\ufffdp\ufffd\\nXvy\\u0019\ufffd\ufffd\ufffd\\u0018\\u0014\ufffd\ufffd^\ufffd\\u0017\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\\u0017\ufffd\ufffd4n h\ufffd\ufffd\\u0007\ufffd\ufffdAcz\\u0007\\u0006\ufffdd\\u0019l\ufffd$O\ufffd\ufffd\ufffd\\u0017\\u0000r\ufffd\ufffd\\u001e\\f\ufffdk\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223b0b7bf6f1fda55de10a72e6e1204169742412fb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\f\ufffdp\ufffd\\nXvy\\u0019\ufffd\ufffd\ufffd\\u0018\\u0014\ufffd\ufffd^\ufffd\\u0017\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\\u0017\ufffd\ufffd4n h\ufffd\ufffd\\u0007\ufffd\ufffdAcz\\u0007\\u0006\ufffdd\\u0019l\ufffd$O\ufffd\ufffd\ufffd\\u0017\\u0000r\ufffd\ufffd\\u001e\\f\ufffdk\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdp\ufffd\\nXvy\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd4n h\ufffd\ufffd\ufffd\ufffdAcz\ufffddl\ufffd$O\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\f\ufffdp\ufffd\\nXvy\\u0019\ufffd\ufffd\ufffd\\u0018\\u0014\ufffd\ufffd^\ufffd\\u0017\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\\u0017\ufffd\ufffd4n h\ufffd\ufffd\\u0007\ufffd\ufffdAcz\\u0007\\u0006\ufffdd\\u0019l\ufffd$O\ufffd\ufffd\ufffd\\u0017\\u0000r\ufffd\ufffd\\u001e\\f\ufffdk\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdp\ufffd\\nXvy\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd4n h\ufffd\ufffd\ufffd\ufffdAcz\ufffddl\ufffd$O\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":426},{"id":9424015,"ip":"82.102.31.6","ts":"2026-06-16 21:16:52.000000","proto":"tcp","src_port":59284,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 426, \u0022payload_entropy\u0022: 6.012203050553459, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223003e482ce36b2b30ee0524f6cd4babd\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003i\ufffd\ufffdC`\ufffd\\u0017\ufffd\\r\ufffdx\ufffd\\u0011\ufffdt\ufffd\\u0007\ufffd\\u0017\ufffdiu\ufffd:\u041e\ufffd8\ufffd\ufffd\ufffdn \ufffd\\r\ufffd\ufffd\\u000b\ufffdI\\u001e_\ufffd\ufffdE|\u05a0\ufffdj4\ufffd(\\u0015\ufffd\ufffd\ufffd\\t\ufffd\\u001b\ufffd%\ufffd\u0027.\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003i\ufffd\ufffdC`\ufffd\\u0017\ufffd\\r\ufffdx\ufffd\\u0011\ufffdt\ufffd\\u0007\ufffd\\u0017\ufffdiu\ufffd:\u041e\ufffd8\ufffd\ufffd\ufffdn \ufffd\\r\ufffd\ufffd\\u000b\ufffdI\\u001e_\ufffd\ufffdE|\u05a0\ufffdj4\ufffd(\\u0015\ufffd\ufffd\ufffd\\t\ufffd\\u001b\ufffd%\ufffd\u0027.\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003i\ufffd\ufffdC`\ufffd\\u0017\ufffd\\r\ufffdx\ufffd\\u0011\ufffdt\ufffd\\u0007\ufffd\\u0017\ufffdiu\ufffd:\u041e\ufffd8\ufffd\ufffd\ufffdn \ufffd\\r\ufffd\ufffd\\u000b\ufffdI\\u001e_\ufffd\ufffdE|\u05a0\ufffdj4\ufffd(\\u0015\ufffd\ufffd\ufffd\\t\ufffd\\u001b\ufffd%\ufffd\u0027.\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c041de08355751ab01aaa7b1351dd1a89cee818d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003i\ufffd\ufffdC`\ufffd\\u0017\ufffd\\r\ufffdx\ufffd\\u0011\ufffdt\ufffd\\u0007\ufffd\\u0017\ufffdiu\ufffd:\u041e\ufffd8\ufffd\ufffd\ufffdn \ufffd\\r\ufffd\ufffd\\u000b\ufffdI\\u001e_\ufffd\ufffdE|\u05a0\ufffdj4\ufffd(\\u0015\ufffd\ufffd\ufffd\\t\ufffd\\u001b\ufffd%\ufffd\u0027.\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdi\ufffd\ufffdC`\ufffd\ufffd\\r\ufffdx\ufffd\ufffdt\ufffd\ufffd\ufffdiu\ufffd:\u041e\ufffd8\ufffd\ufffd\ufffdn \ufffd\\r\ufffd\ufffd\ufffdI_\ufffd\ufffdE|\u05a0\ufffdj4\ufffd(\ufffd\ufffd\ufffd\\t\ufffd\ufffd%\ufffd\u0027.\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003i\ufffd\ufffdC`\ufffd\\u0017\ufffd\\r\ufffdx\ufffd\\u0011\ufffdt\ufffd\\u0007\ufffd\\u0017\ufffdiu\ufffd:\u041e\ufffd8\ufffd\ufffd\ufffdn \ufffd\\r\ufffd\ufffd\\u000b\ufffdI\\u001e_\ufffd\ufffdE|\u05a0\ufffdj4\ufffd(\\u0015\ufffd\ufffd\ufffd\\t\ufffd\\u001b\ufffd%\ufffd\u0027.\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdi\ufffd\ufffdC`\ufffd\ufffd\\r\ufffdx\ufffd\ufffdt\ufffd\ufffd\ufffdiu\ufffd:\u041e\ufffd8\ufffd\ufffd\ufffdn \ufffd\\r\ufffd\ufffd\ufffdI_\ufffd\ufffdE|\u05a0\ufffdj4\ufffd(\ufffd\ufffd\ufffd\\t\ufffd\ufffd%\ufffd\u0027.\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":426},{"id":9424012,"ip":"82.102.31.6","ts":"2026-06-16 21:16:51.000000","proto":"tcp","src_port":59274,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 413, \u0022payload_entropy\u0022: 5.989113891886472, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002233abe9b9b81f7e9cb1b0489209c9e737\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002Z\ufffd\ufffd\\u0000\ufffds\ufffd\ufffd\\u0013d^Xp\ufffdR\ufffdGQT\u00ef\\u001f\\u0002\u048d\\u0016n\ufffd\ufffdX\\u0002\ufffd y\ufffd9\ufffd7m\ufffd\ufffd\\rF\ufffd\\u00120\ufffd\ufffd\ufffdV\ufffd\ufffds\\u0003S{\u0027\ufffdjyQ-\ufffd\u03f2\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002Z\ufffd\ufffd\\u0000\ufffds\ufffd\ufffd\\u0013d^Xp\ufffdR\ufffdGQT\u00ef\\u001f\\u0002\u048d\\u0016n\ufffd\ufffdX\\u0002\ufffd y\ufffd9\ufffd7m\ufffd\ufffd\\rF\ufffd\\u00120\ufffd\ufffd\ufffdV\ufffd\ufffds\\u0003S{\u0027\ufffdjyQ-\ufffd\u03f2\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002Z\ufffd\ufffd\\u0000\ufffds\ufffd\ufffd\\u0013d^Xp\ufffdR\ufffdGQT\u00ef\\u001f\\u0002\u048d\\u0016n\ufffd\ufffdX\\u0002\ufffd y\ufffd9\ufffd7m\ufffd\ufffd\\rF\ufffd\\u00120\ufffd\ufffd\ufffdV\ufffd\ufffds\\u0003S{\u0027\ufffdjyQ-\ufffd\u03f2\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e074c18fdead4db743e8301c4e5bee830c9c13ae\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002Z\ufffd\ufffd\\u0000\ufffds\ufffd\ufffd\\u0013d^Xp\ufffdR\ufffdGQT\u00ef\\u001f\\u0002\u048d\\u0016n\ufffd\ufffdX\\u0002\ufffd y\ufffd9\ufffd7m\ufffd\ufffd\\rF\ufffd\\u00120\ufffd\ufffd\ufffdV\ufffd\ufffds\\u0003S{\u0027\ufffdjyQ-\ufffd\u03f2\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdZ\ufffd\ufffd\ufffds\ufffd\ufffdd^Xp\ufffdR\ufffdGQT\u00ef\u048dn\ufffd\ufffdX\ufffd y\ufffd9\ufffd7m\ufffd\ufffd\\rF\ufffd0\ufffd\ufffd\ufffdV\ufffd\ufffdsS{\u0027\ufffdjyQ-\ufffd\u03f2\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002Z\ufffd\ufffd\\u0000\ufffds\ufffd\ufffd\\u0013d^Xp\ufffdR\ufffdGQT\u00ef\\u001f\\u0002\u048d\\u0016n\ufffd\ufffdX\\u0002\ufffd y\ufffd9\ufffd7m\ufffd\ufffd\\rF\ufffd\\u00120\ufffd\ufffd\ufffdV\ufffd\ufffds\\u0003S{\u0027\ufffdjyQ-\ufffd\u03f2\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdZ\ufffd\ufffd\ufffds\ufffd\ufffdd^Xp\ufffdR\ufffdGQT\u00ef\u048dn\ufffd\ufffdX\ufffd y\ufffd9\ufffd7m\ufffd\ufffd\\rF\ufffd0\ufffd\ufffd\ufffdV\ufffd\ufffdsS{\u0027\ufffdjyQ-\ufffd\u03f2\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":413},{"id":9424009,"ip":"82.102.31.6","ts":"2026-06-16 21:16:50.000000","proto":"tcp","src_port":59256,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 331, \u0022payload_entropy\u0022: 6.032731308392595, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002277905e2034c56669f4e94cb593b34670\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\ufffd\\f\ufffdZ?\ufffd\ufffd\ufffd\ufffd]p\ufffd\\u0005\ufffdr\ufffd\\u0000\ufffdjb\ufffd\ufffd4\ufffd\\u0014\ufffd\ufffd4\ufffd \\u0003y;]\\nx\ufffd\ufffdO\\u0003\ufffd\ufffdU\ufffd\\r\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd|\ufffd\u003CD,\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\ufffd\\f\ufffdZ?\ufffd\ufffd\ufffd\ufffd]p\ufffd\\u0005\ufffdr\ufffd\\u0000\ufffdjb\ufffd\ufffd4\ufffd\\u0014\ufffd\ufffd4\ufffd \\u0003y;]\\nx\ufffd\ufffdO\\u0003\ufffd\ufffdU\ufffd\\r\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd|\ufffd\u003CD,\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0010\\u00000\\u0000.\\bhttp\/0.9\\bhttp\/1.0\\u0006spdy\/1\\u0006spdy\/2\\u0006spdy\/3\\u0003h2c\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\ufffd\\f\ufffdZ?\ufffd\ufffd\ufffd\ufffd]p\ufffd\\u0005\ufffdr\ufffd\\u0000\ufffdjb\ufffd\ufffd4\ufffd\\u0014\ufffd\ufffd4\ufffd \\u0003y;]\\nx\ufffd\ufffdO\\u0003\ufffd\ufffdU\ufffd\\r\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd|\ufffd\u003CD,\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002225550a3c2a1ebe18e2a8e6fb7b694f159a30d2d3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\ufffd\\f\ufffdZ?\ufffd\ufffd\ufffd\ufffd]p\ufffd\\u0005\ufffdr\ufffd\\u0000\ufffdjb\ufffd\ufffd4\ufffd\\u0014\ufffd\ufffd4\ufffd \\u0003y;]\\nx\ufffd\ufffdO\\u0003\ufffd\ufffdU\ufffd\\r\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd|\ufffd\u003CD,\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022FB\ufffd\ufffdZ?\ufffd\ufffd\ufffd\ufffd]p\ufffd\ufffdr\ufffd\ufffdjb\ufffd\ufffd4\ufffd\ufffd\ufffd4\ufffd y;]\\nx\ufffd\ufffdO\ufffd\ufffdU\ufffd\\r\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd|\ufffd\u003CD,D\ufffd\ufffd\u0027\ufffd\/\ufffd\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\ufffd\ufffd\\n\/\u003C\ufffd\ufffd\ufffd\ufffd\ufffd5=\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001F\\u0001\\u0000\\u0001B\\u0003\\u0003\ufffd\\f\ufffdZ?\ufffd\ufffd\ufffd\ufffd]p\ufffd\\u0005\ufffdr\ufffd\\u0000\ufffdjb\ufffd\ufffd4\ufffd\\u0014\ufffd\ufffd4\ufffd \\u0003y;]\\nx\ufffd\ufffdO\\u0003\ufffd\ufffdU\ufffd\\r\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd|\ufffd\u003CD,\\u0000D\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022FB\ufffd\ufffdZ?\ufffd\ufffd\ufffd\ufffd]p\ufffd\ufffdr\ufffd\ufffdjb\ufffd\ufffd4\ufffd\ufffd\ufffd4\ufffd y;]\\nx\ufffd\ufffdO\ufffd\ufffdU\ufffd\\r\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd|\ufffd\u003CD,D\ufffd\ufffd\u0027\ufffd\/\ufffd\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\ufffd\ufffd\\n\/\u003C\ufffd\ufffd\ufffd\ufffd\ufffd5=\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":331},{"id":9424011,"ip":"82.102.31.6","ts":"2026-06-16 21:16:50.000000","proto":"tcp","src_port":59266,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 412, \u0022payload_entropy\u0022: 5.978563153706847, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224c78d29afe98708e9ee7416a13c77abc\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003K\\u000f\\\\\ufffd\ufffdEU\u00ac\ufffd\\u0000\ufffd\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\\u0003\ufffd\\u0010TD\\u0016\ufffd]_ \ufffd.dS\\u0016\u00bc\ufffd\ufffd-\ufffd\ufffdZ\\u000b\\u0006\\u001d\ufffd^\ufffd\\u001f\\n\ufffd\ufffd\ufffd\\u0019\ufffd:p\u06fd8`\\u0000\ufffdzz\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003K\\u000f\\\\\ufffd\ufffdEU\u00ac\ufffd\\u0000\ufffd\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\\u0003\ufffd\\u0010TD\\u0016\ufffd]_ \ufffd.dS\\u0016\u00bc\ufffd\ufffd-\ufffd\ufffdZ\\u000b\\u0006\\u001d\ufffd^\ufffd\\u001f\\n\ufffd\ufffd\ufffd\\u0019\ufffd:p\u06fd8`\\u0000\ufffdzz\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\ufffd\\n\\u0013\\u0004\ufffd+\\u0013\\u0003\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\\u0011\ufffd#\\u0000\\n\ufffd\\t\\u0000\/\ufffd\\b\\u0000\u003C\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000E\\u0000=\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000k\\u0000A\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\\u0007\\u0000g\\u0000\\u0004\\u00003\\u0000\\u0005\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003K\\u000f\\\\\ufffd\ufffdEU\u00ac\ufffd\\u0000\ufffd\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\\u0003\ufffd\\u0010TD\\u0016\ufffd]_ \ufffd.dS\\u0016\u00bc\ufffd\ufffd-\ufffd\ufffdZ\\u000b\\u0006\\u001d\ufffd^\ufffd\\u001f\\n\ufffd\ufffd\ufffd\\u0019\ufffd:p\u06fd8`\\u0000\ufffdzz\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220729462c9d03f0355d5411ec15245de990a57898\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003K\\u000f\\\\\ufffd\ufffdEU\u00ac\ufffd\\u0000\ufffd\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\\u0003\ufffd\\u0010TD\\u0016\ufffd]_ \ufffd.dS\\u0016\u00bc\ufffd\ufffd-\ufffd\ufffdZ\\u000b\\u0006\\u001d\ufffd^\ufffd\\u001f\\n\ufffd\ufffd\ufffd\\u0019\ufffd:p\u06fd8`\\u0000\ufffdzz\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdK\\\\\ufffd\ufffdEU\u00ac\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\ufffdTD\ufffd]_ \ufffd.dS\u00bc\ufffd\ufffd-\ufffd\ufffdZ\ufffd^\ufffd\\n\ufffd\ufffd\ufffd\ufffd:p\u06fd8`\ufffdzz\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003K\\u000f\\\\\ufffd\ufffdEU\u00ac\ufffd\\u0000\ufffd\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\\u0003\ufffd\\u0010TD\\u0016\ufffd]_ \ufffd.dS\\u0016\u00bc\ufffd\ufffd-\ufffd\ufffdZ\\u000b\\u0006\\u001d\ufffd^\ufffd\\u001f\\n\ufffd\ufffd\ufffd\\u0019\ufffd:p\u06fd8`\\u0000\ufffdzz\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdK\\\\\ufffd\ufffdEU\u00ac\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\ufffdTD\ufffd]_ \ufffd.dS\u00bc\ufffd\ufffd-\ufffd\ufffdZ\ufffd^\ufffd\\n\ufffd\ufffd\ufffd\ufffd:p\u06fd8`\ufffdzz\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":412},{"id":9424007,"ip":"82.102.31.6","ts":"2026-06-16 21:16:49.000000","proto":"tcp","src_port":59244,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 345, \u0022payload_entropy\u0022: 6.147771772731207, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a786e2e844da4199e4adfd6d4d7920d1\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\ufffdA\ufffd`\ufffdq\ufffduW\ufffd\ufffd\ufffd\\n\ufffd\u01f7\ufffd,M\ufffd\\u0018\ufffd\\u0010\ufffd\ufffd\ufffd5\ufffd\ufffdl\ufffdZ P\ufffdz\ufffd\\u001e^\ufffd\ufffd\ufffd\ufffd\u217c\ufffd\ufffdUO9\ufffd\ufffdks\ufffdb\ufffd\ufffd?\ufffdg\ufffd\ufffd\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\ufffdA\ufffd`\ufffdq\ufffduW\ufffd\ufffd\ufffd\\n\ufffd\u01f7\ufffd,M\ufffd\\u0018\ufffd\\u0010\ufffd\ufffd\ufffd5\ufffd\ufffdl\ufffdZ P\ufffdz\ufffd\\u001e^\ufffd\ufffd\ufffd\ufffd\u217c\ufffd\ufffdUO9\ufffd\ufffdks\ufffdb\ufffd\ufffd?\ufffdg\ufffd\ufffd\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0010\\u0000\u003C\\u0000:\\bhttp\/0.9\\bhttp\/1.0\\bhttp\/1.1\\u0006spdy\/1\\u0006spdy\/2\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\ufffdA\ufffd`\ufffdq\ufffduW\ufffd\ufffd\ufffd\\n\ufffd\u01f7\ufffd,M\ufffd\\u0018\ufffd\\u0010\ufffd\ufffd\ufffd5\ufffd\ufffdl\ufffdZ P\ufffdz\ufffd\\u001e^\ufffd\ufffd\ufffd\ufffd\u217c\ufffd\ufffdUO9\ufffd\ufffdks\ufffdb\ufffd\ufffd?\ufffdg\ufffd\ufffd\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\ufffdA\ufffd`\ufffdq\ufffduW\ufffd\ufffd\ufffd\\n\ufffd\u01f7\ufffd,M\ufffd\\u0018\ufffd\\u0010\ufffd\ufffd\ufffd5\ufffd\ufffdl\ufffdZ P\ufffdz\ufffd\\u001e^\ufffd\ufffd\ufffd\ufffd\u217c\ufffd\ufffdUO9\ufffd\ufffdks\ufffdb\ufffd\ufffd?\ufffdg\ufffd\ufffd\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0010\\u0000\u003C\\u0000:\\bhttp\/0.9\\bhttp\/1.0\\bhttp\/1.1\\u0006spdy\/1\\u0006spdy\/2\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\ufffdA\ufffd`\ufffdq\ufffduW\ufffd\ufffd\ufffd\\n\ufffd\u01f7\ufffd,M\ufffd\\u0018\ufffd\\u0010\ufffd\ufffd\ufffd5\ufffd\ufffdl\ufffdZ P\ufffdz\ufffd\\u001e^\ufffd\ufffd\ufffd\ufffd\u217c\ufffd\ufffdUO9\ufffd\ufffdks\ufffdb\ufffd\ufffd?\ufffdg\ufffd\ufffd\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e74bd51f0aa4c3f8e8b78351ee8218e822b207f8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\ufffdA\ufffd`\ufffdq\ufffduW\ufffd\ufffd\ufffd\\n\ufffd\u01f7\ufffd,M\ufffd\\u0018\ufffd\\u0010\ufffd\ufffd\ufffd5\ufffd\ufffdl\ufffdZ P\ufffdz\ufffd\\u001e^\ufffd\ufffd\ufffd\ufffd\u217c\ufffd\ufffdUO9\ufffd\ufffdks\ufffdb\ufffd\ufffd?\ufffdg\ufffd\ufffd\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022TP\ufffdA\ufffd`\ufffdq\ufffduW\ufffd\ufffd\ufffd\\n\ufffd\u01f7\ufffd,M\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffdl\ufffdZ P\ufffdz\ufffd^\ufffd\ufffd\ufffd\ufffd\u217c\ufffd\ufffdUO9\ufffd\ufffdks\ufffdb\ufffd\ufffd?\ufffdg\ufffd\ufffdF\ufffd\ufffd\ufffd\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001T\\u0001\\u0000\\u0001P\\u0003\\u0003\ufffdA\ufffd`\ufffdq\ufffduW\ufffd\ufffd\ufffd\\n\ufffd\u01f7\ufffd,M\ufffd\\u0018\ufffd\\u0010\ufffd\ufffd\ufffd5\ufffd\ufffdl\ufffdZ P\ufffdz\ufffd\\u001e^\ufffd\ufffd\ufffd\ufffd\u217c\ufffd\ufffdUO9\ufffd\ufffdks\ufffdb\ufffd\ufffd?\ufffdg\ufffd\ufffd\\u0000F\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TP\ufffdA\ufffd`\ufffdq\ufffduW\ufffd\ufffd\ufffd\\n\ufffd\u01f7\ufffd,M\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffdl\ufffdZ P\ufffdz\ufffd^\ufffd\ufffd\ufffd\ufffd\u217c\ufffd\ufffdUO9\ufffd\ufffdks\ufffdb\ufffd\ufffd?\ufffdg\ufffd\ufffdF\ufffd\ufffd\ufffd\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":345},{"id":9424006,"ip":"82.102.31.6","ts":"2026-06-16 21:16:48.000000","proto":"tcp","src_port":59230,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 424, \u0022payload_entropy\u0022: 5.923797033157651, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002294d19c38cd93187fa20e13eb22d16788\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0010\ufffdX^\ufffd6\ufffd)\ufffd%\ufffd\ufffd\\u001f0N\ufffdi\\\u0022\ufffd\\u001b\ufffd\ufffd\ufffdX\ufffd\ufffd\ufffd\ufffdY|: \ufffdD6\u05be\\u001a\ufffdY\\u0011#`\\u001f\/\\r% \ufffd\\u001c?\/R\ufffdd\\u0015\u02c8\u00e7\ufffd\ufffdq\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0010\ufffdX^\ufffd6\ufffd)\ufffd%\ufffd\ufffd\\u001f0N\ufffdi\\\u0022\ufffd\\u001b\ufffd\ufffd\ufffdX\ufffd\ufffd\ufffd\ufffdY|: \ufffdD6\u05be\\u001a\ufffdY\\u0011#`\\u001f\/\\r% \ufffd\\u001c?\/R\ufffdd\\u0015\u02c8\u00e7\ufffd\ufffdq\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\ufffdv\ufffda\ufffd`\ufffd0\ufffd(\ufffd\\u0014\ufffd\/\ufffd\u0027\ufffd\\u0013\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0010\ufffdX^\ufffd6\ufffd)\ufffd%\ufffd\ufffd\\u001f0N\ufffdi\\\u0022\ufffd\\u001b\ufffd\ufffd\ufffdX\ufffd\ufffd\ufffd\ufffdY|: \ufffdD6\u05be\\u001a\ufffdY\\u0011#`\\u001f\/\\r% \ufffd\\u001c?\/R\ufffdd\\u0015\u02c8\u00e7\ufffd\ufffdq\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002223417977faa55665b5aa09cc7790a9e16db0b63c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0010\ufffdX^\ufffd6\ufffd)\ufffd%\ufffd\ufffd\\u001f0N\ufffdi\\\u0022\ufffd\\u001b\ufffd\ufffd\ufffdX\ufffd\ufffd\ufffd\ufffdY|: \ufffdD6\u05be\\u001a\ufffdY\\u0011#`\\u001f\/\\r% \ufffd\\u001c?\/R\ufffdd\\u0015\u02c8\u00e7\ufffd\ufffdq\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdX^\ufffd6\ufffd)\ufffd%\ufffd\ufffd0N\ufffdi\\\u0022\ufffd\ufffd\ufffd\ufffdX\ufffd\ufffd\ufffd\ufffdY|: \ufffdD6\u05be\ufffdY#`\/\\r% \ufffd?\/R\ufffdd\u02c8\u00e7\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0010\ufffdX^\ufffd6\ufffd)\ufffd%\ufffd\ufffd\\u001f0N\ufffdi\\\u0022\ufffd\\u001b\ufffd\ufffd\ufffdX\ufffd\ufffd\ufffd\ufffdY|: \ufffdD6\u05be\\u001a\ufffdY\\u0011#`\\u001f\/\\r% \ufffd\\u001c?\/R\ufffdd\\u0015\u02c8\u00e7\ufffd\ufffdq\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdX^\ufffd6\ufffd)\ufffd%\ufffd\ufffd0N\ufffdi\\\u0022\ufffd\ufffd\ufffd\ufffdX\ufffd\ufffd\ufffd\ufffdY|: \ufffdD6\u05be\ufffdY#`\/\\r% \ufffd?\/R\ufffdd\u02c8\u00e7\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":424},{"id":9424004,"ip":"82.102.31.6","ts":"2026-06-16 21:16:47.000000","proto":"tcp","src_port":59218,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 424, \u0022payload_entropy\u0022: 5.9790970186140715, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224c977b82af82966cc49eb9160511bb30\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003(m\ufffd\\u0018G\ufffd3\ufffdfjO\ufffd[\\u0000F\ufffdX\ufffd\ufffd(6}\\u000f%\\u001f\\u0017XGff.\ufffd \ufffd\ufffdW\ufffdjp\ufffd\ufffdQ\\u001e\ufffd\ufffd?\\u001a\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffdL\ufffdq\\b2\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003(m\ufffd\\u0018G\ufffd3\ufffdfjO\ufffd[\\u0000F\ufffdX\ufffd\ufffd(6}\\u000f%\\u001f\\u0017XGff.\ufffd \ufffd\ufffdW\ufffdjp\ufffd\ufffdQ\\u001e\ufffd\ufffd?\\u001a\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffdL\ufffdq\\b2\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003(m\ufffd\\u0018G\ufffd3\ufffdfjO\ufffd[\\u0000F\ufffdX\ufffd\ufffd(6}\\u000f%\\u001f\\u0017XGff.\ufffd \ufffd\ufffdW\ufffdjp\ufffd\ufffdQ\\u001e\ufffd\ufffd?\\u001a\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffdL\ufffdq\\b2\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022370c53bc1a74bb27fa3978b00c7c3387276b5c81\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003(m\ufffd\\u0018G\ufffd3\ufffdfjO\ufffd[\\u0000F\ufffdX\ufffd\ufffd(6}\\u000f%\\u001f\\u0017XGff.\ufffd \ufffd\ufffdW\ufffdjp\ufffd\ufffdQ\\u001e\ufffd\ufffd?\\u001a\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffdL\ufffdq\\b2\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd(m\ufffdG\ufffd3\ufffdfjO\ufffd[F\ufffdX\ufffd\ufffd(6}%XGff.\ufffd \ufffd\ufffdW\ufffdjp\ufffd\ufffdQ\ufffd\ufffd?\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffdL\ufffdq2\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003(m\ufffd\\u0018G\ufffd3\ufffdfjO\ufffd[\\u0000F\ufffdX\ufffd\ufffd(6}\\u000f%\\u001f\\u0017XGff.\ufffd \ufffd\ufffdW\ufffdjp\ufffd\ufffdQ\\u001e\ufffd\ufffd?\\u001a\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffdL\ufffdq\\b2\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd(m\ufffdG\ufffd3\ufffdfjO\ufffd[F\ufffdX\ufffd\ufffd(6}%XGff.\ufffd \ufffd\ufffdW\ufffdjp\ufffd\ufffdQ\ufffd\ufffd?\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffdL\ufffdq2\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":424},{"id":9424001,"ip":"82.102.31.6","ts":"2026-06-16 21:16:45.000000","proto":"tcp","src_port":59214,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 3.9368837619364547, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022db8d737824661e95268eaf0b5b792e30\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003X\ufffd$\ufffdF\\t\ufffd\ufffd$VdI)\\u0018\ufffd\u0191J\\u0016-yR\ufffd\ufffd\ufffd\u0652y\ufffdl\ufffd Q\ufffdrp\ufffd\\\\\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0018\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR]\ufffd\ufffd\\u0016\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003X\ufffd$\ufffdF\\t\ufffd\ufffd$VdI)\\u0018\ufffd\u0191J\\u0016-yR\ufffd\ufffd\ufffd\u0652y\ufffdl\ufffd Q\ufffdrp\ufffd\\\\\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0018\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR]\ufffd\ufffd\\u0016\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\\u0000\ufffd\\u0000=\\u0000\u003C\\u00005\\u0000\/\\u0000\ufffd\\u0001\\u0000\\u0001u\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\\u0003\\u0001\\u0003\\u0002\\u0004\\u0002\\u0005\\u0002\\u0006\\u0002\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u0000-\\u0000\\u0002\\u0001\\u0001\\u00003\\u0000\u0026\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003X\ufffd$\ufffdF\\t\ufffd\ufffd$VdI)\\u0018\ufffd\u0191J\\u0016-yR\ufffd\ufffd\ufffd\u0652y\ufffdl\ufffd Q\ufffdrp\ufffd\\\\\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0018\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR]\ufffd\ufffd\\u0016\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a9ab5cc5c36581ad75929932be7fd12a8e6ad02c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003X\ufffd$\ufffdF\\t\ufffd\ufffd$VdI)\\u0018\ufffd\u0191J\\u0016-yR\ufffd\ufffd\ufffd\u0652y\ufffdl\ufffd Q\ufffdrp\ufffd\\\\\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0018\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR]\ufffd\ufffd\\u0016\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdX\ufffd$\ufffdF\\t\ufffd\ufffd$VdI)\ufffd\u0191J-yR\ufffd\ufffd\ufffd\u0652y\ufffdl\ufffd Q\ufffdrp\ufffd\\\\\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR]\ufffd\ufffd\ufffd\ufffd\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003X\ufffd$\ufffdF\\t\ufffd\ufffd$VdI)\\u0018\ufffd\u0191J\\u0016-yR\ufffd\ufffd\ufffd\u0652y\ufffdl\ufffd Q\ufffdrp\ufffd\\\\\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0018\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR]\ufffd\ufffd\\u0016\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdX\ufffd$\ufffdF\\t\ufffd\ufffd$VdI)\ufffd\u0191J-yR\ufffd\ufffd\ufffd\u0652y\ufffdl\ufffd Q\ufffdrp\ufffd\\\\\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR]\ufffd\ufffd\ufffd\ufffd\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":517},{"id":9295362,"ip":"82.102.31.6","ts":"2026-06-15 20:19:59.000000","proto":"tcp","src_port":59900,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 439, \u0022payload_entropy\u0022: 6.003481689630613, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002283125a518449134bf507311f44c203c0\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0006\ufffd\ufffdu\ufffd\u06c2ch\ufffd\ufffd\\u001e\ufffdB\\u001b\ufffdUh\\\u0022\ufffd\\u000f\ufffd,\ufffd\ufffd\ufffd\\u000f\ufffd8- u\\b\ufffd\\u0014\\u0010m\ufffd\ufffd\ufffd\\u0014*\\u001a\ufffd\u06c0\ufffd.\\u001cI\ufffd\ufffdvGp\\u0014H\ufffd*\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0006\ufffd\ufffdu\ufffd\u06c2ch\ufffd\ufffd\\u001e\ufffdB\\u001b\ufffdUh\\\u0022\ufffd\\u000f\ufffd,\ufffd\ufffd\ufffd\\u000f\ufffd8- u\\b\ufffd\\u0014\\u0010m\ufffd\ufffd\ufffd\\u0014*\\u001a\ufffd\u06c0\ufffd.\\u001cI\ufffd\ufffdvGp\\u0014H\ufffd*\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\ufffd\\n\\u0013\\u0004\ufffd+\\u0013\\u0003\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\\u0011\ufffd#\\u0000\\n\ufffd\\t\\u0000\/\ufffd\\b\\u0000\u003C\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000E\\u0000=\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000k\\u0000A\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\\u0007\\u0000g\\u0000\\u0004\\u00003\\u0000\\u0005\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd**\\u0000\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0006\ufffd\ufffdu\ufffd\u06c2ch\ufffd\ufffd\\u001e\ufffdB\\u001b\ufffdUh\\\u0022\ufffd\\u000f\ufffd,\ufffd\ufffd\ufffd\\u000f\ufffd8- u\\b\ufffd\\u0014\\u0010m\ufffd\ufffd\ufffd\\u0014*\\u001a\ufffd\u06c0\ufffd.\\u001cI\ufffd\ufffdvGp\\u0014H\ufffd*\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022daee44129704e597603630b9a3b7c2546e20c536\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0006\ufffd\ufffdu\ufffd\u06c2ch\ufffd\ufffd\\u001e\ufffdB\\u001b\ufffdUh\\\u0022\ufffd\\u000f\ufffd,\ufffd\ufffd\ufffd\\u000f\ufffd8- u\\b\ufffd\\u0014\\u0010m\ufffd\ufffd\ufffd\\u0014*\\u001a\ufffd\u06c0\ufffd.\\u001cI\ufffd\ufffdvGp\\u0014H\ufffd*\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu\ufffd\u06c2ch\ufffd\ufffd\ufffdB\ufffdUh\\\u0022\ufffd\ufffd,\ufffd\ufffd\ufffd\ufffd8- u\ufffdm\ufffd\ufffd\ufffd*\ufffd\u06c0\ufffd.I\ufffd\ufffdvGpH\ufffd*\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0006\ufffd\ufffdu\ufffd\u06c2ch\ufffd\ufffd\\u001e\ufffdB\\u001b\ufffdUh\\\u0022\ufffd\\u000f\ufffd,\ufffd\ufffd\ufffd\\u000f\ufffd8- u\\b\ufffd\\u0014\\u0010m\ufffd\ufffd\ufffd\\u0014*\\u001a\ufffd\u06c0\ufffd.\\u001cI\ufffd\ufffdvGp\\u0014H\ufffd*\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu\ufffd\u06c2ch\ufffd\ufffd\ufffdB\ufffdUh\\\u0022\ufffd\ufffd,\ufffd\ufffd\ufffd\ufffd8- u\ufffdm\ufffd\ufffd\ufffd*\ufffd\u06c0\ufffd.I\ufffd\ufffdvGpH\ufffd*\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":439},{"id":9295361,"ip":"82.102.31.6","ts":"2026-06-15 20:19:58.000000","proto":"tcp","src_port":59896,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 416, \u0022payload_entropy\u0022: 6.024601921528109, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002268d78918f3ef52cbefec4c966aeb139f\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\\u000e\ufffd\\u0019\ufffd\ufffd\ufffd\u0027\\u000f\ufffd\ufffd\u0026\ufffdm\u003CX\ufffdD8\ufffd\ufffd\ufffd\ufffd*\ufffd 6\\u0012E\ufffdF:\ufffd4q\/.\ufffd\ufffd\ufffd\u003CI\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffdH.\\u0019P^\u034c\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\\u000e\ufffd\\u0019\ufffd\ufffd\ufffd\u0027\\u000f\ufffd\ufffd\u0026\ufffdm\u003CX\ufffdD8\ufffd\ufffd\ufffd\ufffd*\ufffd 6\\u0012E\ufffdF:\ufffd4q\/.\ufffd\ufffd\ufffd\u003CI\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffdH.\\u0019P^\u034c\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\\u000e\ufffd\\u0019\ufffd\ufffd\ufffd\u0027\\u000f\ufffd\ufffd\u0026\ufffdm\u003CX\ufffdD8\ufffd\ufffd\ufffd\ufffd*\ufffd 6\\u0012E\ufffdF:\ufffd4q\/.\ufffd\ufffd\ufffd\u003CI\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffdH.\\u0019P^\u034c\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226f3ed6fb227a4c14fee73b9db1caec1c1fe995de\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\\u000e\ufffd\\u0019\ufffd\ufffd\ufffd\u0027\\u000f\ufffd\ufffd\u0026\ufffdm\u003CX\ufffdD8\ufffd\ufffd\ufffd\ufffd*\ufffd 6\\u0012E\ufffdF:\ufffd4q\/.\ufffd\ufffd\ufffd\u003CI\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffdH.\\u0019P^\u034c\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\u0026\ufffdm\u003CX\ufffdD8\ufffd\ufffd\ufffd\ufffd*\ufffd 6E\ufffdF:\ufffd4q\/.\ufffd\ufffd\ufffd\u003CI\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffdH.P^\u034c\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\\u000e\ufffd\\u0019\ufffd\ufffd\ufffd\u0027\\u000f\ufffd\ufffd\u0026\ufffdm\u003CX\ufffdD8\ufffd\ufffd\ufffd\ufffd*\ufffd 6\\u0012E\ufffdF:\ufffd4q\/.\ufffd\ufffd\ufffd\u003CI\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffdH.\\u0019P^\u034c\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\u0026\ufffdm\u003CX\ufffdD8\ufffd\ufffd\ufffd\ufffd*\ufffd 6E\ufffdF:\ufffd4q\/.\ufffd\ufffd\ufffd\u003CI\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffdH.P^\u034c\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":416},{"id":9295357,"ip":"82.102.31.6","ts":"2026-06-15 20:19:57.000000","proto":"tcp","src_port":59882,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 426, \u0022payload_entropy\u0022: 5.938756290875007, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002212f6bc0f1953a1ad77ffe2a2eb6f6c8a\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\r\\f\ufffd(\ufffd4\u003C1\ufffd6\\u0000\\u0010\ufffd\\u0001*\\u0003\ufffd\ufffd\ufffdj\ufffdg(\ufffd\ufffdX\ufffd\ufffd\ufffdo\ufffd t\\u0006\ufffd\ufffd\ufffd\ufffd\u07ac\ufffd\ufffd\u9a76x\ufffdg5O\ufffd\ufffd!\\u0018e$W\u04e7\\u0017x\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\r\\f\ufffd(\ufffd4\u003C1\ufffd6\\u0000\\u0010\ufffd\\u0001*\\u0003\ufffd\ufffd\ufffdj\ufffdg(\ufffd\ufffdX\ufffd\ufffd\ufffdo\ufffd t\\u0006\ufffd\ufffd\ufffd\ufffd\u07ac\ufffd\ufffd\u9a76x\ufffdg5O\ufffd\ufffd!\\u0018e$W\u04e7\\u0017x\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\r\\f\ufffd(\ufffd4\u003C1\ufffd6\\u0000\\u0010\ufffd\\u0001*\\u0003\ufffd\ufffd\ufffdj\ufffdg(\ufffd\ufffdX\ufffd\ufffd\ufffdo\ufffd t\\u0006\ufffd\ufffd\ufffd\ufffd\u07ac\ufffd\ufffd\u9a76x\ufffdg5O\ufffd\ufffd!\\u0018e$W\u04e7\\u0017x\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b5cdb1486d5ded444a9ede4f06a85a03a68783b5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\r\\f\ufffd(\ufffd4\u003C1\ufffd6\\u0000\\u0010\ufffd\\u0001*\\u0003\ufffd\ufffd\ufffdj\ufffdg(\ufffd\ufffdX\ufffd\ufffd\ufffdo\ufffd t\\u0006\ufffd\ufffd\ufffd\ufffd\u07ac\ufffd\ufffd\u9a76x\ufffdg5O\ufffd\ufffd!\\u0018e$W\u04e7\\u0017x\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\r\ufffd(\ufffd4\u003C1\ufffd6\ufffd*\ufffd\ufffd\ufffdj\ufffdg(\ufffd\ufffdX\ufffd\ufffd\ufffdo\ufffd t\ufffd\ufffd\ufffd\ufffd\u07ac\ufffd\ufffd\u9a76x\ufffdg5O\ufffd\ufffd!e$W\u04e7x\ufffd\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\r\\f\ufffd(\ufffd4\u003C1\ufffd6\\u0000\\u0010\ufffd\\u0001*\\u0003\ufffd\ufffd\ufffdj\ufffdg(\ufffd\ufffdX\ufffd\ufffd\ufffdo\ufffd t\\u0006\ufffd\ufffd\ufffd\ufffd\u07ac\ufffd\ufffd\u9a76x\ufffdg5O\ufffd\ufffd!\\u0018e$W\u04e7\\u0017x\ufffd\ufffd\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\r\ufffd(\ufffd4\u003C1\ufffd6\ufffd*\ufffd\ufffd\ufffdj\ufffdg(\ufffd\ufffdX\ufffd\ufffd\ufffdo\ufffd t\ufffd\ufffd\ufffd\ufffd\u07ac\ufffd\ufffd\u9a76x\ufffdg5O\ufffd\ufffd!e$W\u04e7x\ufffd\ufffd\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":426},{"id":9295358,"ip":"82.102.31.6","ts":"2026-06-15 20:19:57.000000","proto":"tcp","src_port":59894,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 426, \u0022payload_entropy\u0022: 6.0256735292001435, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022efb777d26c355936e872f80d2faea8eb\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003u\ufffd\\u001b\\u0007\ufffd\ufffdho`i\ufffdaN\ufffd3\ufffd\ufffd\\u0003\\u0018)\u01ec\ufffd\ufffd\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd Db\ufffd\u0026\ufffd\\b\ufffd,\ufffd\\u0019\ufffd\u00cf,\\u0011%\ufffdy5_fT\ufffd[\\u001fm\ufffd\ufffd\\u001e\ufffdp\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003u\ufffd\\u001b\\u0007\ufffd\ufffdho`i\ufffdaN\ufffd3\ufffd\ufffd\\u0003\\u0018)\u01ec\ufffd\ufffd\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd Db\ufffd\u0026\ufffd\\b\ufffd,\ufffd\\u0019\ufffd\u00cf,\\u0011%\ufffdy5_fT\ufffd[\\u001fm\ufffd\ufffd\\u001e\ufffdp\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\ufffdv\ufffda\ufffd`\ufffd0\ufffd(\ufffd\\u0014\ufffd\/\ufffd\u0027\ufffd\\u0013\ufffd\\u0012\ufffd\\u0007\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\u0329\ufffds\ufffdr\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\\n\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\\t\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000k\\u00009\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000g\\u00003\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003u\ufffd\\u001b\\u0007\ufffd\ufffdho`i\ufffdaN\ufffd3\ufffd\ufffd\\u0003\\u0018)\u01ec\ufffd\ufffd\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd Db\ufffd\u0026\ufffd\\b\ufffd,\ufffd\\u0019\ufffd\u00cf,\\u0011%\ufffdy5_fT\ufffd[\\u001fm\ufffd\ufffd\\u001e\ufffdp\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022881da1d009de24cc095685b69a17ddb006a364d9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003u\ufffd\\u001b\\u0007\ufffd\ufffdho`i\ufffdaN\ufffd3\ufffd\ufffd\\u0003\\u0018)\u01ec\ufffd\ufffd\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd Db\ufffd\u0026\ufffd\\b\ufffd,\ufffd\\u0019\ufffd\u00cf,\\u0011%\ufffdy5_fT\ufffd[\\u001fm\ufffd\ufffd\\u001e\ufffdp\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdu\ufffd\ufffd\ufffdho`i\ufffdaN\ufffd3\ufffd\ufffd)\u01ec\ufffd\ufffd\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd Db\ufffd\u0026\ufffd\ufffd,\ufffd\ufffd\u00cf,%\ufffdy5_fT\ufffd[m\ufffd\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003u\ufffd\\u001b\\u0007\ufffd\ufffdho`i\ufffdaN\ufffd3\ufffd\ufffd\\u0003\\u0018)\u01ec\ufffd\ufffd\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd Db\ufffd\u0026\ufffd\\b\ufffd,\ufffd\\u0019\ufffd\u00cf,\\u0011%\ufffdy5_fT\ufffd[\\u001fm\ufffd\ufffd\\u001e\ufffdp\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\\u0007\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000=\\u00005\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u003C\\u0000\/\\u0000\\n\ufffd\\u0011\ufffd\\u0013\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\u0328\ufffdw\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdu\ufffd\ufffd\ufffdho`i\ufffdaN\ufffd3\ufffd\ufffd)\u01ec\ufffd\ufffd\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd Db\ufffd\u0026\ufffd\ufffd,\ufffd\ufffd\u00cf,%\ufffdy5_fT\ufffd[m\ufffd\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\/\\n\ufffd\ufffd\u0328\ufffdw\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":426},{"id":9295356,"ip":"82.102.31.6","ts":"2026-06-15 20:19:56.000000","proto":"tcp","src_port":59874,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 413, \u0022payload_entropy\u0022: 5.997200068820924, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229c1cd77adff23dd3b3733d7c81671b20\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002`\ufffd j\\u001f%zk\ufffdR\ufffd\ufffdPh\ufffd\u06c7\\u0012\ufffd\\f\u003E\ufffd\ufffd\ufffd\\f\ufffd^\ufffd@\u04f4. \ufffd=\ufffd\u003E\ufffd*\ufffd\ufffd\\u0005\ufffdDl\\bF\ufffd{\ufffd\ufffd\ufffd;+\\\\\ufffd^\\u0001r\\b\ufffd\u003Es\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002`\ufffd j\\u001f%zk\ufffdR\ufffd\ufffdPh\ufffd\u06c7\\u0012\ufffd\\f\u003E\ufffd\ufffd\ufffd\\f\ufffd^\ufffd@\u04f4. \ufffd=\ufffd\u003E\ufffd*\ufffd\ufffd\\u0005\ufffdDl\\bF\ufffd{\ufffd\ufffd\ufffd;+\\\\\ufffd^\\u0001r\\b\ufffd\u003Es\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffdr\ufffds\u0329\\u0013\\u0002\\u0013\\u0001\ufffd\\u0014\ufffd\\u0007\ufffd\\u0012\ufffd\\u0013\ufffd\u0027\ufffd\/\ufffd\\u0014\ufffd(\ufffd0\ufffd`\ufffda\ufffdv\ufffdw\u0328\\u0013\\u0005\\u0013\\u0004\\u0013\\u0003\ufffd\\u0013\ufffd\\u0011\\u0000\\n\\u0000\/\\u0000\u003C\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00005\\u0000=\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000A\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\\u0007\\u0000\\u0004\\u0000\\u0005\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002`\ufffd j\\u001f%zk\ufffdR\ufffd\ufffdPh\ufffd\u06c7\\u0012\ufffd\\f\u003E\ufffd\ufffd\ufffd\\f\ufffd^\ufffd@\u04f4. \ufffd=\ufffd\u003E\ufffd*\ufffd\ufffd\\u0005\ufffdDl\\bF\ufffd{\ufffd\ufffd\ufffd;+\\\\\ufffd^\\u0001r\\b\ufffd\u003Es\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022700dd5d82c3d2f126862db63a4d45aae4e244935\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002`\ufffd j\\u001f%zk\ufffdR\ufffd\ufffdPh\ufffd\u06c7\\u0012\ufffd\\f\u003E\ufffd\ufffd\ufffd\\f\ufffd^\ufffd@\u04f4. \ufffd=\ufffd\u003E\ufffd*\ufffd\ufffd\\u0005\ufffdDl\\bF\ufffd{\ufffd\ufffd\ufffd;+\\\\\ufffd^\\u0001r\\b\ufffd\u003Es\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd`\ufffd j%zk\ufffdR\ufffd\ufffdPh\ufffd\u06c7\ufffd\u003E\ufffd\ufffd\ufffd\ufffd^\ufffd@\u04f4. \ufffd=\ufffd\u003E\ufffd*\ufffd\ufffd\ufffdDlF\ufffd{\ufffd\ufffd\ufffd;+\\\\\ufffd^r\ufffd\u003Es\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0002`\ufffd j\\u001f%zk\ufffdR\ufffd\ufffdPh\ufffd\u06c7\\u0012\ufffd\\f\u003E\ufffd\ufffd\ufffd\\f\ufffd^\ufffd@\u04f4. \ufffd=\ufffd\u003E\ufffd*\ufffd\ufffd\\u0005\ufffdDl\\bF\ufffd{\ufffd\ufffd\ufffd;+\\\\\ufffd^\\u0001r\\b\ufffd\u003Es\\u0000\ufffd\\u0000\\u0016\\u00003\\u0000g\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u00009\\u0000k\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000E\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\\b\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd`\ufffd j%zk\ufffdR\ufffd\ufffdPh\ufffd\u06c7\ufffd\u003E\ufffd\ufffd\ufffd\ufffd^\ufffd@\u04f4. \ufffd=\ufffd\u003E\ufffd*\ufffd\ufffd\ufffdDlF\ufffd{\ufffd\ufffd\ufffd;+\\\\\ufffd^r\ufffd\u003Es\ufffd3g\ufffd\ufffd\ufffd\ufffd\ufffd9k\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\\n\ufffd$\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":413},{"id":9295354,"ip":"82.102.31.6","ts":"2026-06-15 20:19:55.000000","proto":"tcp","src_port":49508,"dst_port":6666,"service":"irc-alt","classification":"irc-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00223a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a\u0022, \u0022emulator_response_len\u0022: 50, \u0022bytes_in\u0022: 412, \u0022payload_entropy\u0022: 6.009341461135528, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022service\u0022: \u0022irc-alt\u0022, \u0022app_proto\u0022: \u0022irc-alt\u0022, \u0022asn\u0022: 9009, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6666, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d5fd8c09dbc132bc433d46fdc76049034dd872a\u0022, \u0022event_fingerprint\u0022: \u0022cc099e4209131811d1d4777bc753e7344e7f3434\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 9009, \u0022org\u0022: \u0022M247 Europe SRL\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002245b34803ea4ea30e83541d090b43cc2e\u0022, \u0022path_pattern_hash\u0022: \u00226b182e382c1fe9f4c9dda6cd0b06efdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0007\ufffd!p\\u0007\\u0007\\u00189\u06db\ufffdR\ufffd\\\\\ufffd\ufffd\\u001af\ufffd\\u0018\u0609\ufffd\u0301\ufffd\ufffdJ9a \ufffd\ufffdS\ufffd\ufffd\u0728j\ufffdh\ufffd\ufffd\u00fa\ufffd\ufffd\ufffd\\bc\u0100\\u0005\ufffdL\ufffd\ufffd\\u0013k\ufffd\\u0011\\u0000\ufffd\\n\\n\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0007\ufffd!p\\u0007\\u0007\\u00189\u06db\ufffdR\ufffd\\\\\ufffd\ufffd\\u001af\ufffd\\u0018\u0609\ufffd\u0301\ufffd\ufffdJ9a \ufffd\ufffdS\ufffd\ufffd\u0728j\ufffdh\ufffd\ufffd\u00fa\ufffd\ufffd\ufffd\\bc\u0100\\u0005\ufffdL\ufffd\ufffd\\u0013k\ufffd\\u0011\\u0000\ufffd\\n\\n\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\ufffd\\n\\u0013\\u0004\ufffd+\\u0013\\u0003\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\\u0011\ufffd#\\u0000\\n\ufffd\\t\\u0000\/\ufffd\\b\\u0000\u003C\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000E\\u0000=\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\ufffd\\u0000k\\u0000A\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\ufffd\ufffd\ufffd\\u0000\\u0007\\u0000g\\u0000\\u0004\\u00003\\u0000\\u0005\\u0000\\u0016\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0001\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0007\ufffd!p\\u0007\\u0007\\u00189\u06db\ufffdR\ufffd\\\\\ufffd\ufffd\\u001af\ufffd\\u0018\u0609\ufffd\u0301\ufffd\ufffdJ9a \ufffd\ufffdS\ufffd\ufffd\u0728j\ufffdh\ufffd\ufffd\u00fa\ufffd\ufffd\ufffd\\bc\u0100\\u0005\ufffdL\ufffd\ufffd\\u0013k\ufffd\\u0011\\u0000\ufffd\\n\\n\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f58a59418cab8ff765e1bf459c17c39e915c3b52\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0007\ufffd!p\\u0007\\u0007\\u00189\u06db\ufffdR\ufffd\\\\\ufffd\ufffd\\u001af\ufffd\\u0018\u0609\ufffd\u0301\ufffd\ufffdJ9a \ufffd\ufffdS\ufffd\ufffd\u0728j\ufffdh\ufffd\ufffd\u00fa\ufffd\ufffd\ufffd\\bc\u0100\\u0005\ufffdL\ufffd\ufffd\\u0013k\ufffd\\u0011\\u0000\ufffd\\n\\n\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd!p9\u06db\ufffdR\ufffd\\\\\ufffd\ufffdf\ufffd\u0609\ufffd\u0301\ufffd\ufffdJ9a \ufffd\ufffdS\ufffd\ufffd\u0728j\ufffdh\ufffd\ufffd\u00fa\ufffd\ufffd\ufffdc\u0100\ufffdL\ufffd\ufffdk\ufffd\ufffd\\n\\n\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022, \u0022dst_port\u0022: 6666, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0003\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\\u0007\ufffd!p\\u0007\\u0007\\u00189\u06db\ufffdR\ufffd\\\\\ufffd\ufffd\\u001af\ufffd\\u0018\u0609\ufffd\u0301\ufffd\ufffdJ9a \ufffd\ufffdS\ufffd\ufffd\u0728j\ufffdh\ufffd\ufffd\u00fa\ufffd\ufffd\ufffd\\bc\u0100\\u0005\ufffdL\ufffd\ufffd\\u0013k\ufffd\\u0011\\u0000\ufffd\\n\\n\ufffd\\u0012\ufffd\\u0013\ufffd\\u0007\ufffd\u0027\ufffd\\u0014\ufffd\/\\u0013\\u0001\ufffd\\u0014\\u0013\\u0002\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\\u0013\\u0005\u0022, \u0022port\u0022: 6666, \u0022service\u0022: \u0022irc-alt\u0022, \u0022service_label_fr\u0022: \u0022IRC ALT\u0022}, \u0022attack_vector\u0022: \u0022irc-alt \u00b7 via IRC ALT:6666 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd!p9\u06db\ufffdR\ufffd\\\\\ufffd\ufffdf\ufffd\u0609\ufffd\u0301\ufffd\ufffdJ9a \ufffd\ufffdS\ufffd\ufffd\u0728j\ufffdh\ufffd\ufffd\u00fa\ufffd\ufffd\ufffdc\u0100\ufffdL\ufffd\ufffdk\ufffd\ufffd\\n\\n\ufffd\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\/\ufffd\ufffd(\u0329\ufffd0\ufffds\ufffd`\ufffdr\ufffda\ufffd,\ufffdv\ufffd\ufffd\ufffdw\ufffd\ufffd\u0328\ufffd$\u0022, \u0022target_port_label\u0022: \u00226666 \u00b7 IRC ALT\u0022, \u0022emulator_service\u0022: \u0022irc-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022irc_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-irc-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226666\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":412}],"total_events":63}