Détails IP 89.205.21.201

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « tls_probe » (signaux protocolaires) · confiance 50%

Confiance 58 % — Score WAF 8 · Bonus corrélation +8

Comparaison ASN / FAI

ASN 41557 · 89.205.0.0/17 · RIPENCC — 1 pair(s) ASN/FAI listé(s) sur la base · 15 événements sur la période pour cette IP.

89.205.126.37 tcp 18/01/2026 09:42 UTC

IPs apparentées

Même FAI Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip — corrélation indicative.

89.205.126.37 tcp

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 7 TLS TCP 7

HTTP

7

TLS

7

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

15 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
21/06/2026 02:09:32 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload ��I�e��ȄF�15i]a�9��;`2JXLޡ S��u�� /�O��(��:��C\@>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��I�e��ȄF�15i]a�9��;`2JXLޡ S��u��/�O��(��:��C\@>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��I�e��ȄF�15i]a�9��;`2JXLޡ S��u�� /�O��(��:��C\@>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.139144031529031, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "ed638f60b5c54a46e55ca6bbe473eb10", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffdI\u0015\ufffde\ufffd\ufffd\u001d\u0204F\ufffd15i\u0005]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\u001f\u0000\ufffd\ufffdu\ufffd\ufffd\ufffd\u000b\ufffd\u001d\ufffd\/\ufffdO\u000f\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffdI\u0015\ufffde\ufffd\ufffd\u001d\u0204F\ufffd15i\u0005]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\u001f\u0000\ufffd\ufffdu\ufffd\ufffd\ufffd\u000b\ufffd\u001d\ufffd\/\ufffdO\u000f\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffdI\u0015\ufffde\ufffd\ufffd\u001d\u0204F\ufffd15i\u0005]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\u001f\u0000\ufffd\ufffdu\ufffd\ufffd\ufffd\u000b\ufffd\u001d\ufffd\/\ufffdO\u000f\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "40a7c2efa70c4ad58e8e0892b0c07aaefd021bc3", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffdI\u0015\ufffde\ufffd\ufffd\u001d\u0204F\ufffd15i\u0005]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\u001f\u0000\ufffd\ufffdu\ufffd\ufffd\ufffd\u000b\ufffd\u001d\ufffd\/\ufffdO\u000f\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdI\ufffde\ufffd\ufffd\u0204F\ufffd15i]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffdO\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffdI\u0015\ufffde\ufffd\ufffd\u001d\u0204F\ufffd15i\u0005]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\u001f\u0000\ufffd\ufffdu\ufffd\ufffd\ufffd\u000b\ufffd\u001d\ufffd\/\ufffdO\u000f\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdI\ufffde\ufffd\ufffd\u0204F\ufffd15i]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffdO\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload �5c��0�q� ^�Ӿ�ݮ�D��[�4��-d Pp �P�4�=v��<O�3آ T�7R�7��v� +�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �5c��0�q� ^�Ӿ�ݮ�D��[�4��-dPp �P�4�=v��<O�3آ T�7R�7��v� +�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �5c��0�q� ^�Ӿ�ݮ�D��[�4��-d Pp �P�4�=v��<O�3آ T�7R�7��v� +�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.106159628381976, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "c63833c03948c41efcf840c0ee088dac", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00035c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\u0013\ufffd\ufffd-d\u000bPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\u0000\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\u0011\ufffdv\ufffd\r+\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00035c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\u0013\ufffd\ufffd-d\u000bPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\u0000\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\u0011\ufffdv\ufffd\r+\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00035c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\u0013\ufffd\ufffd-d\u000bPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\u0000\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\u0011\ufffdv\ufffd\r+\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4cb29c83607155420c3ddaed9967939ae28ea053", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00035c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\u0013\ufffd\ufffd-d\u000bPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\u0000\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\u0011\ufffdv\ufffd\r+\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd5c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\ufffd\ufffd-dPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\ufffdv\ufffd\r+\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00035c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\u0013\ufffd\ufffd-d\u000bPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\u0000\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\u0011\ufffdv\ufffd\r+\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd5c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\ufffd\ufffd-dPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\ufffdv\ufffd\r+\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:2051 · (tentative d'exploit) · → /image/lgbg.jpg	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /image/lgbg.jpg UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Surveiller Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /image/lgbg.jpg TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible /image/lgbg.jpg Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 48 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /image/lgbg.jpg HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /image/lgbg.jpg HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532 Requête brute (extrait) GET /image/lgbg.jpg HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "jpg", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "2dd31a361729c174218c8a0a20c0e5c1f46a52e7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.366014933359768, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "02284ed624acf0fcbe7dfc1393c3ad13f95eb110", "event_fingerprint": "5c1ac9464b40ed28265fd6f988d1cc28c68a5049", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "c1d623679ae6bb710732a1dd7aee71b2", "path_pattern_hash": "27ca7de15d9e41dae8afc854797a412b" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "method": "GET", "path": "\/image\/lgbg.jpg", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "request_sample": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "evidence": { "method": "GET", "path": "\/image\/lgbg.jpg", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "request_sample": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b80ad3dbda1c4480a976df490a1e3dd6dd07f486", "protocol_details": { "http_method": "GET", "http_path": "\/image\/lgbg.jpg", "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/image\/lgbg.jpg", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/image\/lgbg.jpg", "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/image\/lgbg.jpg", "evidence_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload �Yb{�s�A��ٯ��o�@u��7�n�C��2s )�G��x��xڸ�H_�BK�S�s��eC��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �Yb{�s�A��ٯ��o�@u��7�n�C��2s )�G��x��xڸ�H_�BK�S�s��eC��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �Yb{�s�A��ٯ��o�@u��7�n�C��2s )�G��x��xڸ�H_�BK�S�s��eC��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.136818806122236, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "8efea23a92c31038ec7874d11155b17c", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003Yb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\u0006\ufffd\u0016@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u0014\u06b8\ufffdH_\ufffdBK\ufffd\u0018S\ufffds\ufffd\ufffdeC\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003Yb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\u0006\ufffd\u0016@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u0014\u06b8\ufffdH_\ufffdBK\ufffd\u0018S\ufffds\ufffd\ufffdeC\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003Yb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\u0006\ufffd\u0016@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u0014\u06b8\ufffdH_\ufffdBK\ufffd\u0018S\ufffds\ufffd\ufffdeC\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5beec214b887fa4bdd46e5aea5e1a193847e6833", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003Yb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\u0006\ufffd\u0016@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u0014\u06b8\ufffdH_\ufffdBK\ufffd\u0018S\ufffds\ufffd\ufffdeC\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffdYb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\ufffd@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u06b8\ufffdH_\ufffdBK\ufffdS\ufffds\ufffd\ufffdeC\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003Yb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\u0006\ufffd\u0016@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u0014\u06b8\ufffdH_\ufffdBK\ufffd\u0018S\ufffds\ufffd\ufffdeC\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdYb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\ufffd@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u06b8\ufffdH_\ufffdBK\ufffdS\ufffds\ufffd\ufffdeC\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · HTTP	http	jenkins probe jenkins probe · via HTTP:2051 · (sonde / probe) · → /login.rsp	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET /login.rsp UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /login.rsp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible /login.rsp Service HTTP Pourquoi cette classification : Type « jenkins_probe » (signaux protocolaires) · confiance 47% Confiance classification 55% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 47 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux Cicd Jenkins Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /login.rsp HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /login.rsp HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KH Requête brute (extrait) GET /login.rsp HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "rsp", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "577c7c6e9f07414bab1843cc24ba57c57365c8d9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.317306065621836, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "89a68c9fc75729cccca61086ba7dda1288bc8732", "event_fingerprint": "f63c8bad84c905f498bb19cb48fc9cd090fcf7cc", "classification_reason": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 56, "precision_signals": [ "INT-cicd-jenkins" ], "kb_rule_ids": [ "INT-cicd-jenkins" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 47, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "920d063009cdf419b0fc5dc1940a5c18", "path_pattern_hash": "4586a3f595a38eb868be9c94ceb03915" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "method": "GET", "path": "\/login.rsp", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/login.rsp HTTP\/1.1", "request_sample": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "evidence": { "method": "GET", "path": "\/login.rsp", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/login.rsp HTTP\/1.1", "request_sample": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "classification_reason": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f9b16211e75ae8b604df8c9dfca5fa58febd323f", "protocol_details": { "http_method": "GET", "http_path": "\/login.rsp", "request_line": "GET \/login.rsp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "attack_vector": "jenkins probe \u00b7 via HTTP:2051 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/login.rsp", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "classification_reason_label_fr": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "INT-cicd-jenkins" ], "tags_summary_labels_fr": [ "Cicd Jenkins" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/login.rsp", "request_line": "GET \/login.rsp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "jenkins probe \u00b7 via HTTP:2051 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/login.rsp", "evidence_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload � H�@v�1��´>��Gѣ��<�\|�� S=W�"�#�w�Pv��M��h��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) � H�@v�1��´>��Gѣ��<�\|�� S=W�"�#�w�Pv��M��h��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) � H�@v�1��´>��Gѣ��<�\|�� S=W�"�#�w�Pv��M��h��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.154751590415655, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "97dc3afe69bbfbe29abbf0d0a194d9a7", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\u001b\u0013\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\u001a\u001c\u0006\ufffd\u001d\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\u001b\u0013\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\u001a\u001c\u0006\ufffd\u001d\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\u001b\u0013\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\u001a\u001c\u0006\ufffd\u001d\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "40a33885668b36682543608955c55dbf96e99ca2", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\u001b\u0013\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\u001a\u001c\u0006\ufffd\u001d\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\u001b\u0013\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\u001a\u001c\u0006\ufffd\u001d\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "behavior_alert_count": 1, "behavior_priority": 72 }
21/06/2026 02:09:31 UTC	TCP	2051 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:2051 · (tentative d'exploit) · → /nobody/favicon.ico	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /nobody/favicon.ico UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Surveiller Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /nobody/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible /nobody/favicon.ico Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 48 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /nobody/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /nobody/favicon.ico HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit Requête brute (extrait) GET /nobody/favicon.ico HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "99031f973e05a5223d32a653b4d8545b046e986a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.326159906936761, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "02284ed624acf0fcbe7dfc1393c3ad13f95eb110", "event_fingerprint": "2e7852cc60fdbc4813a5360d9bae90251aca59d6", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "3d50dc87dcd072ba6a849044efd4c6ba", "path_pattern_hash": "aed6526709a8e7eda329386724bafe99" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "method": "GET", "path": "\/nobody\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "request_sample": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "evidence": { "method": "GET", "path": "\/nobody\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "request_sample": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "991967d3657aa468aa6666851866449904864799", "protocol_details": { "http_method": "GET", "http_path": "\/nobody\/favicon.ico", "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nobody\/favicon.ico", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/nobody\/favicon.ico", "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nobody\/favicon.ico", "evidence_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload �gA��^�'��D��nt��m�1�܆��V�� 4^q`�\|��3W&� � B�k��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification :* Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �gA��^�'��D��nt��m�1�܆��V�� 4^q`�\|��3W&�� B�k��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �gA��^�'��D��nt��m�1�܆��V�� 4^q`�\|��3W&� � B�k��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.093402112137083, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "a51d7768695953f382c7941e44145b7d", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\u001f\u001aA\ufffd\ufffd^\u0019\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4\u000f^\u0010q`\ufffd\|\ufffd\u0005\u001a\ufffd\ufffd3W&\ufffd\f\ufffd\tB\ufffdk\ufffd\u0016\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\u001f\u001aA\ufffd\ufffd^\u0019\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4\u000f^\u0010q`\ufffd\|\ufffd\u0005\u001a\ufffd\ufffd3W&\ufffd\f\ufffd\tB\ufffdk\ufffd\u0016\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\u001f\u001aA\ufffd\ufffd^\u0019\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4\u000f^\u0010q`\ufffd\|\ufffd\u0005\u001a\ufffd\ufffd3W&\ufffd\f\ufffd\tB\ufffdk\ufffd\u0016\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6deaff916fadf8d2d6bb29fdf04ee123abf31cf6", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\u001f\u001aA\ufffd\ufffd^\u0019\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4\u000f^\u0010q`\ufffd\|\ufffd\u0005\u001a\ufffd\ufffd3W&\ufffd\f\ufffd\tB\ufffdk\ufffd\u0016\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffdgA\ufffd\ufffd^\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4^q`\ufffd\|\ufffd\ufffd\ufffd3W&\ufffd\ufffd\tB\ufffdk\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\u001f\u001aA\ufffd\ufffd^\u0019\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4\u000f^\u0010q`\ufffd\|\ufffd\u0005\u001a\ufffd\ufffd3W&\ufffd\f\ufffd\tB\ufffdk\ufffd\u0016\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdgA\ufffd\ufffd^\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4^*q`\ufffd\|\ufffd\ufffd\ufffd3W&\ufffd\ufffd\tB\ufffdk\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:2051 · (tentative d'exploit) · → /skin/default_1/images/logo.png	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /skin/default_1/images/logo.png UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Surveiller Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /skin/default_1/images/logo.png TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible /skin/default_1/images/logo.png Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 48 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /skin/default_1/images/logo.png HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /skin/default_1/images/logo.png HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) Requête brute (extrait) GET /skin/default_1/images/logo.png HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "png", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "893121d0eb67a0f333f42554a8794cc9f4cb2cfc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.357644436549911, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "02284ed624acf0fcbe7dfc1393c3ad13f95eb110", "event_fingerprint": "d07ef8d251010de2331dad3eb7f06c4520b6c526", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "1a4378b4a4620a4a65f0a7e2da93dc79", "path_pattern_hash": "f6ee15dfe5cdca7ba24428fd11fa927c" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "method": "GET", "path": "\/skin\/default_1\/images\/logo.png", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "request_sample": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n", "payload_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "evidence": { "method": "GET", "path": "\/skin\/default_1\/images\/logo.png", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "request_sample": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n", "payload_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4a049b97ba4e094d9da5e70b19d94f2cfbc8d599", "protocol_details": { "http_method": "GET", "http_path": "\/skin\/default_1\/images\/logo.png", "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/skin\/default_1\/images\/logo.png", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/skin\/default_1\/images\/logo.png", "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/skin\/default_1\/images\/logo.png", "evidence_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ] }
21/06/2026 02:09:30 UTC	TCP	2051	—	Sonde port Sonde port · port 2051 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": null, "app_proto": null, "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.8, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "67ba85dd97a84ed4a907c59cb4e7a91d5e2c4523", "event_fingerprint": "9e7c5f7113bcba95d589e18d51a28b4fdd3e6754", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 2051, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "efe6ce3ab9ea99a6d48339714cb3dfce86b6197e", "protocol_details": { "port": 2051 }, "attack_vector": "Sonde port \u00b7 port 2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 2051 }, "attack_vector": "Sonde port \u00b7 port 2051 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "2051", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
21/06/2026 02:09:30 UTC	TCP	2051 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:2051 · (tentative d'exploit)	Élevée	Moyen · 44
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 228, "payload_entropy": 5.323334795469355, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0f20a4100a499536900f68fe3b29e4efb48f6740", "event_fingerprint": "512f0b26b01f77fc234e61d269f3ea3ad1d7bf46", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "537f19cd222110ff3beecb7ab27981ab", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fea23352e9c662bc633f578096739c78d79b8ca8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit)", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:2051" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 96 }
21/06/2026 02:09:30 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload ��L��,�L��lMlf-5 �z�16�Y0�1.5�V �F��l�)W��j�2�ow��^�5 J��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��L��,�L��lMlf-5�z�16�Y0�1.5�V �F��l�)W��j�2�ow��^�5 J��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��L��,�L��lMlf-5 �z�16�Y0�1.5�V �F��l�)W��j�2�ow��^�5 J��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.1039016808176845, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "4e4f32366bc4a61100a9d35ebdd3c873", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdL\ufffd\u0016\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\u000b\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\u0013\ufffd\ufffdl\ufffd)W\ufffd\u0006\u001a\ufffdj\ufffd2\ufffdo\u0015w\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdL\ufffd\u0016\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\u000b\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\u0013\ufffd\ufffdl\ufffd)W\ufffd\u0006\u001a\ufffdj\ufffd2\ufffdo\u0015w\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdL\ufffd\u0016\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\u000b\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\u0013\ufffd\ufffdl\ufffd)W\ufffd\u0006\u001a\ufffdj\ufffd2\ufffdo\u0015w\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1f6bbb535d081fd6da36b350c8918d4cb19c4d7c", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdL\ufffd\u0016\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\u000b\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\u0013\ufffd\ufffdl\ufffd)W\ufffd\u0006\u001a\ufffdj\ufffd2\ufffdo\u0015w\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdL\ufffd\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\ufffd\ufffdl\ufffd)W\ufffd\ufffdj\ufffd2\ufffdow\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdL\ufffd\u0016\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\u000b\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\u0013\ufffd\ufffdl\ufffd)W\ufffd\u0006\u001a\ufffdj\ufffd2\ufffdo\u0015w\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdL\ufffd\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\ufffd\ufffdl\ufffd)W\ufffd\ufffdj\ufffd2\ufffdow\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
21/06/2026 02:09:30 UTC	TCP	2051 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:2051 · (tentative d'exploit) · → /cgi-bin/param.cgi	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /cgi-bin/param.cgi UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_cgi_bin Cible HTTP GET /cgi-bin/param.cgi TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible /cgi-bin/param.cgi Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CVE-2024-8956 PTZOptics Ligne de requête `GET /cgi-bin/param.cgi HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /cgi-bin/param.cgi HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/ Requête brute (extrait) GET /cgi-bin/param.cgi HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "cgi", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "49fcaff1d04840b2dcbeade821e5fb00d229020f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.34173795956184, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 55, "tag_count": 6, "anomaly_count": 0, "campaign_key": "9b10a52f15174ef43cf66402a2cbcd5dc879a2d8", "event_fingerprint": "cfccb55451f6e29287c48dcfe8f84fbe59493d27", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0792" ], "matched_pattern_names": [ "CVE-2024-8956 PTZOptics" ], "pattern_ids": [ "pat-0792" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "5ac33062d4fd1ed4844f856817f4f8e7", "path_pattern_hash": "c17d9d1deca910691cca18621393a389" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "method": "GET", "path": "\/cgi-bin\/param.cgi", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/cgi-bin\/param.cgi HTTP\/1.1", "request_sample": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/cgi-bin\/param.cgi", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/cgi-bin\/param.cgi HTTP\/1.1", "request_sample": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "25108fa747aad13d257087a26f545d501d9c4462", "protocol_details": { "http_method": "GET", "http_path": "\/cgi-bin\/param.cgi", "request_line": "GET \/cgi-bin\/param.cgi HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "attack_vector": "config file probe \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cgi-bin\/param.cgi", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/cgi-bin\/param.cgi", "request_line": "GET \/cgi-bin\/param.cgi HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cgi-bin\/param.cgi", "evidence_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_cgi_bin", "http_sensitive_path", "iot_http_endpoint" ] }
21/06/2026 02:09:30 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload �r\|â&p��P㤚��bԸ^t?bQ[vz�a�� ό��R�[�[�� #&}�y��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �r\|â&p��P㤚��bԸ^t?bQ[vz�a�� ό��R�[�[��#&}�y��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �r\|â&p��P㤚��bԸ^t?bQ[vz�a�� ό��R�[�[�� #&}�y��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.130273791514198, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "6c21cdb19b26cf2d3aae0619dfb23794", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003r\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^\u0018t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \u001b\ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\ufffd#\u0013&}\ufffdy\u001b\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003r\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^\u0018t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \u001b\ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\ufffd#\u0013&}\ufffdy\u001b\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003r\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^\u0018t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \u001b\ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\ufffd#\u0013&}\ufffdy\u001b\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5a27489384e87da81cb80977beb21b89803e746c", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003r\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^\u0018t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \u001b\ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\ufffd#\u0013&}\ufffdy\u001b\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffdr\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd#&}\ufffdy\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003r\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^\u0018t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \u001b\ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\ufffd#\u0013&}\ufffdy\u001b\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdr\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd#&}\ufffdy\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
21/06/2026 02:09:30 UTC	TCP	2051 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:2051 · (sonde / probe) · → /favicon.ico	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET /favicon.ico UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Sonde HTTP (tag rce-0) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ ( Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 239, "payload_entropy": 5.3222245905763845, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "89a68c9fc75729cccca61086ba7dda1288bc8732", "event_fingerprint": "00b11b5cc902586c26895a74bff85382bd2ed354", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "confidence": 0.58, "classification_confidence": 0.58, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "4d68fca1c4cb5c371367849a14473d96", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d197110594e013ea9fd5cd9ce2b53c402dfc1cf", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "attack_vector": "Sonde HTTP \u00b7 via HTTP:2051 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "classification_reason_label_fr": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:2051 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ] }

89.205.21.201

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence