Renseignement sur les menaces

Macédoine du Nord

89.205.21.201

FAI Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip Première vue 08/06/2026 10:04 UTC Dernière vue 21/06/2026 02:09 UTC Risque Moyen

Période analysée : 2026-03-23 → 2026-06-21

Activité suspecte · risque 35/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 58/100 Moyen

Première observation 08/06/2026 10:04 UTC

Dernière observation 21/06/2026 02:09 UTC

Événements (période) 142

MITRE ATT&CK principal TA0007 100 occurrences

Activité suspecte · risque 35/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « tls_probe » (signaux protocolaires) · confiance 50%

Confiance 58 % — Score WAF 8 · Bonus corrélation +8

Comparaison ASN / FAI

ASN 41557 · 89.205.0.0/17 · RIPENCC — 1 pair(s) ASN/FAI listé(s) sur la base · 142 événements sur la période pour cette IP.

89.205.126.37 tcp 18/01/2026 09:42 UTC

Événements (filtres)

142

Première observation

08/06/2026 10:04 UTC

Dernière observation

21/06/2026 02:09 UTC

Dernière activité (filtres)

21/06/2026 02:09 UTC

Événements 7j

112

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 70 TLS TCP 28 CASSANDRA JMX TCP 15 HTTP ALT 8002 TCP 8 HTTP ALT 8082 TCP 8 HTTP ALT 8001 TCP 8

HTTP

TLS

CASSANDRA JMX

HTTP ALT 8002

HTTP ALT 8082

HTTP ALT 8001

Géolocalisation

Origine réseau déclarée

Macédoine du Nord unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip 0 Port 2051 port_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

tls probe · via TLS:2051 · (sonde / probe)

Détails protocole

Empreinte JA3: 78f0dc5ac5b19daf131a133c

Aperçu payload

��I�e��ȄF�15i]a�9��;`2JXLޡ S��u�� /�O��(��:��C\@>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3�

Port / service

2051 · TLS

Service émulé

TLS

Raison confiance

Confiance 50 % — Motif catalogue confirmé

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0554

Confiance

58% Corrélation +8

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

142 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

142 événement(s) — page 1/3

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
21/06/2026 02:09:32 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload ��I�e��ȄF�15i]a�9��;`2JXLޡ S��u�� /�O��(��:��C\@>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��I�e��ȄF�15i]a�9��;`2JXLޡ S��u��/�O��(��:��C\@>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��I�e��ȄF�15i]a�9��;`2JXLޡ S��u�� /�O��(��:��C\@>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.139144031529031, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "ed638f60b5c54a46e55ca6bbe473eb10", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffdI\u0015\ufffde\ufffd\ufffd\u001d\u0204F\ufffd15i\u0005]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\u001f\u0000\ufffd\ufffdu\ufffd\ufffd\ufffd\u000b\ufffd\u001d\ufffd\/\ufffdO\u000f\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffdI\u0015\ufffde\ufffd\ufffd\u001d\u0204F\ufffd15i\u0005]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\u001f\u0000\ufffd\ufffdu\ufffd\ufffd\ufffd\u000b\ufffd\u001d\ufffd\/\ufffdO\u000f\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffdI\u0015\ufffde\ufffd\ufffd\u001d\u0204F\ufffd15i\u0005]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\u001f\u0000\ufffd\ufffdu\ufffd\ufffd\ufffd\u000b\ufffd\u001d\ufffd\/\ufffdO\u000f\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "40a7c2efa70c4ad58e8e0892b0c07aaefd021bc3", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffdI\u0015\ufffde\ufffd\ufffd\u001d\u0204F\ufffd15i\u0005]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\u001f\u0000\ufffd\ufffdu\ufffd\ufffd\ufffd\u000b\ufffd\u001d\ufffd\/\ufffdO\u000f\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdI\ufffde\ufffd\ufffd\u0204F\ufffd15i]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffdO\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffdI\u0015\ufffde\ufffd\ufffd\u001d\u0204F\ufffd15i\u0005]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\u001f\u0000\ufffd\ufffdu\ufffd\ufffd\ufffd\u000b\ufffd\u001d\ufffd\/\ufffdO\u000f\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdI\ufffde\ufffd\ufffd\u0204F\ufffd15i]a\ufffd9\ufffd\ufffd;`2JXL\u07a1 S\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffdO\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffdC\\@>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload �5c��0�q� ^�Ӿ�ݮ�D��[�4��-d Pp �P�4�=v��<O�3آ T�7R�7��v� +�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �5c��0�q� ^�Ӿ�ݮ�D��[�4��-dPp �P�4�=v��<O�3آ T�7R�7��v� +�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �5c��0�q� ^�Ӿ�ݮ�D��[�4��-d Pp �P�4�=v��<O�3آ T�7R�7��v� +�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.106159628381976, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "c63833c03948c41efcf840c0ee088dac", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00035c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\u0013\ufffd\ufffd-d\u000bPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\u0000\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\u0011\ufffdv\ufffd\r+\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00035c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\u0013\ufffd\ufffd-d\u000bPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\u0000\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\u0011\ufffdv\ufffd\r+\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00035c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\u0013\ufffd\ufffd-d\u000bPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\u0000\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\u0011\ufffdv\ufffd\r+\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4cb29c83607155420c3ddaed9967939ae28ea053", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00035c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\u0013\ufffd\ufffd-d\u000bPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\u0000\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\u0011\ufffdv\ufffd\r+\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd5c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\ufffd\ufffd-dPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\ufffdv\ufffd\r+\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00035c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\u0013\ufffd\ufffd-d\u000bPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\u0000\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\u0011\ufffdv\ufffd\r+\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd5c\ufffd\ufffd\ufffd0\ufffdq\ufffd ^\ufffd\u04fe\ufffd\u076e\ufffdD\ufffd\ufffd[\ufffd4\ufffd\ufffd-dPp \ufffdP\ufffd4\ufffd=v\ufffd\ufffd<O\ufffd3\u0622 T\ufffd7R\ufffd7\ufffd\ufffdv\ufffd\r+\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:2051 · (tentative d'exploit) · → /image/lgbg.jpg	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /image/lgbg.jpg UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Surveiller Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /image/lgbg.jpg TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible /image/lgbg.jpg Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 48 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /image/lgbg.jpg HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /image/lgbg.jpg HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532 Requête brute (extrait) GET /image/lgbg.jpg HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "jpg", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "2dd31a361729c174218c8a0a20c0e5c1f46a52e7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.366014933359768, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "02284ed624acf0fcbe7dfc1393c3ad13f95eb110", "event_fingerprint": "5c1ac9464b40ed28265fd6f988d1cc28c68a5049", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "c1d623679ae6bb710732a1dd7aee71b2", "path_pattern_hash": "27ca7de15d9e41dae8afc854797a412b" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "method": "GET", "path": "\/image\/lgbg.jpg", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "request_sample": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "evidence": { "method": "GET", "path": "\/image\/lgbg.jpg", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "request_sample": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b80ad3dbda1c4480a976df490a1e3dd6dd07f486", "protocol_details": { "http_method": "GET", "http_path": "\/image\/lgbg.jpg", "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/image\/lgbg.jpg", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/image\/lgbg.jpg", "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/image\/lgbg.jpg", "evidence_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload �Yb{�s�A��ٯ��o�@u��7�n�C��2s )�G��x��xڸ�H_�BK�S�s��eC��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �Yb{�s�A��ٯ��o�@u��7�n�C��2s )�G��x��xڸ�H_�BK�S�s��eC��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �Yb{�s�A��ٯ��o�@u��7�n�C��2s )�G��x��xڸ�H_�BK�S�s��eC��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.136818806122236, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "8efea23a92c31038ec7874d11155b17c", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003Yb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\u0006\ufffd\u0016@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u0014\u06b8\ufffdH_\ufffdBK\ufffd\u0018S\ufffds\ufffd\ufffdeC\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003Yb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\u0006\ufffd\u0016@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u0014\u06b8\ufffdH_\ufffdBK\ufffd\u0018S\ufffds\ufffd\ufffdeC\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003Yb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\u0006\ufffd\u0016@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u0014\u06b8\ufffdH_\ufffdBK\ufffd\u0018S\ufffds\ufffd\ufffdeC\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5beec214b887fa4bdd46e5aea5e1a193847e6833", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003Yb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\u0006\ufffd\u0016@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u0014\u06b8\ufffdH_\ufffdBK\ufffd\u0018S\ufffds\ufffd\ufffdeC\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffdYb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\ufffd@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u06b8\ufffdH_\ufffdBK\ufffdS\ufffds\ufffd\ufffdeC\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003Yb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\u0006\ufffd\u0016@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u0014\u06b8\ufffdH_\ufffdBK\ufffd\u0018S\ufffds\ufffd\ufffdeC\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdYb{\ufffds\ufffdA\ufffd\ufffd\u066f\ufffd\ufffd\ufffd\ufffdo\ufffd@u\ufffd\ufffd7\ufffdn\ufffdC\ufffd\ufffd2s )\ufffdG\ufffd\ufffd\ufffdx\ufffd\ufffdx\u06b8\ufffdH_\ufffdBK\ufffdS\ufffds\ufffd\ufffdeC\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · HTTP	http	jenkins probe jenkins probe · via HTTP:2051 · (sonde / probe) · → /login.rsp	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET /login.rsp UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /login.rsp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible /login.rsp Service HTTP Pourquoi cette classification : Type « jenkins_probe » (signaux protocolaires) · confiance 47% Confiance classification 55% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 47 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux Cicd Jenkins Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /login.rsp HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /login.rsp HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KH Requête brute (extrait) GET /login.rsp HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "rsp", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "577c7c6e9f07414bab1843cc24ba57c57365c8d9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.317306065621836, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "89a68c9fc75729cccca61086ba7dda1288bc8732", "event_fingerprint": "f63c8bad84c905f498bb19cb48fc9cd090fcf7cc", "classification_reason": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 56, "precision_signals": [ "INT-cicd-jenkins" ], "kb_rule_ids": [ "INT-cicd-jenkins" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 47, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "920d063009cdf419b0fc5dc1940a5c18", "path_pattern_hash": "4586a3f595a38eb868be9c94ceb03915" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "method": "GET", "path": "\/login.rsp", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/login.rsp HTTP\/1.1", "request_sample": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "evidence": { "method": "GET", "path": "\/login.rsp", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/login.rsp HTTP\/1.1", "request_sample": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "classification_reason": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f9b16211e75ae8b604df8c9dfca5fa58febd323f", "protocol_details": { "http_method": "GET", "http_path": "\/login.rsp", "request_line": "GET \/login.rsp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "attack_vector": "jenkins probe \u00b7 via HTTP:2051 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/login.rsp", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "classification_reason_label_fr": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "INT-cicd-jenkins" ], "tags_summary_labels_fr": [ "Cicd Jenkins" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/login.rsp", "request_line": "GET \/login.rsp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "jenkins probe \u00b7 via HTTP:2051 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/login.rsp", "evidence_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload � H�@v�1��´>��Gѣ��<�\|�� S=W�"�#�w�Pv��M��h��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) � H�@v�1��´>��Gѣ��<�\|�� S=W�"�#�w�Pv��M��h��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) � H�@v�1��´>��Gѣ��<�\|�� S=W�"�#�w�Pv��M��h��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.154751590415655, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "97dc3afe69bbfbe29abbf0d0a194d9a7", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\u001b\u0013\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\u001a\u001c\u0006\ufffd\u001d\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\u001b\u0013\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\u001a\u001c\u0006\ufffd\u001d\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\u001b\u0013\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\u001a\u001c\u0006\ufffd\u001d\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "40a33885668b36682543608955c55dbf96e99ca2", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\u001b\u0013\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\u001a\u001c\u0006\ufffd\u001d\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\u001b\u0013\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\u001a\u001c\u0006\ufffd\u001d\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\nH\ufffd@v\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00b4>\ufffd\ufffdG\u0463\ufffd\ufffd\ufffd<\ufffd\|\ufffd\ufffd S=W\ufffd\"\ufffd#\ufffdw\ufffdPv\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "behavior_alert_count": 1, "behavior_priority": 72 }
21/06/2026 02:09:31 UTC	TCP	2051 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:2051 · (tentative d'exploit) · → /nobody/favicon.ico	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /nobody/favicon.ico UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Surveiller Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /nobody/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible /nobody/favicon.ico Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 48 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /nobody/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /nobody/favicon.ico HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit Requête brute (extrait) GET /nobody/favicon.ico HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "99031f973e05a5223d32a653b4d8545b046e986a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.326159906936761, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "02284ed624acf0fcbe7dfc1393c3ad13f95eb110", "event_fingerprint": "2e7852cc60fdbc4813a5360d9bae90251aca59d6", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "3d50dc87dcd072ba6a849044efd4c6ba", "path_pattern_hash": "aed6526709a8e7eda329386724bafe99" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "method": "GET", "path": "\/nobody\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "request_sample": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "evidence": { "method": "GET", "path": "\/nobody\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "request_sample": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "991967d3657aa468aa6666851866449904864799", "protocol_details": { "http_method": "GET", "http_path": "\/nobody\/favicon.ico", "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nobody\/favicon.ico", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/nobody\/favicon.ico", "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nobody\/favicon.ico", "evidence_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload �gA��^�'��D��nt��m�1�܆��V�� 4^q`�\|��3W&� � B�k��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification :* Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �gA��^�'��D��nt��m�1�܆��V�� 4^q`�\|��3W&�� B�k��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �gA��^�'��D��nt��m�1�܆��V�� 4^q`�\|��3W&� � B�k��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.093402112137083, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "a51d7768695953f382c7941e44145b7d", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\u001f\u001aA\ufffd\ufffd^\u0019\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4\u000f^\u0010q`\ufffd\|\ufffd\u0005\u001a\ufffd\ufffd3W&\ufffd\f\ufffd\tB\ufffdk\ufffd\u0016\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\u001f\u001aA\ufffd\ufffd^\u0019\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4\u000f^\u0010q`\ufffd\|\ufffd\u0005\u001a\ufffd\ufffd3W&\ufffd\f\ufffd\tB\ufffdk\ufffd\u0016\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\u001f\u001aA\ufffd\ufffd^\u0019\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4\u000f^\u0010q`\ufffd\|\ufffd\u0005\u001a\ufffd\ufffd3W&\ufffd\f\ufffd\tB\ufffdk\ufffd\u0016\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6deaff916fadf8d2d6bb29fdf04ee123abf31cf6", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\u001f\u001aA\ufffd\ufffd^\u0019\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4\u000f^\u0010q`\ufffd\|\ufffd\u0005\u001a\ufffd\ufffd3W&\ufffd\f\ufffd\tB\ufffdk\ufffd\u0016\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffdgA\ufffd\ufffd^\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4^q`\ufffd\|\ufffd\ufffd\ufffd3W&\ufffd\ufffd\tB\ufffdk\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\u001f\u001aA\ufffd\ufffd^\u0019\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4\u000f^\u0010q`\ufffd\|\ufffd\u0005\u001a\ufffd\ufffd3W&\ufffd\f\ufffd\tB\ufffdk\ufffd\u0016\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdgA\ufffd\ufffd^\ufffd'\ufffd\ufffd\ufffdD\ufffd\ufffdnt\ufffd\ufffdm\ufffd1\ufffd\u0706\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd4^*q`\ufffd\|\ufffd\ufffd\ufffd3W&\ufffd\ufffd\tB\ufffdk\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
21/06/2026 02:09:31 UTC	TCP	2051 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:2051 · (tentative d'exploit) · → /skin/default_1/images/logo.png	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /skin/default_1/images/logo.png UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Surveiller Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /skin/default_1/images/logo.png TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible /skin/default_1/images/logo.png Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 48 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /skin/default_1/images/logo.png HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /skin/default_1/images/logo.png HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) Requête brute (extrait) GET /skin/default_1/images/logo.png HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "png", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "893121d0eb67a0f333f42554a8794cc9f4cb2cfc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.357644436549911, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "02284ed624acf0fcbe7dfc1393c3ad13f95eb110", "event_fingerprint": "d07ef8d251010de2331dad3eb7f06c4520b6c526", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "1a4378b4a4620a4a65f0a7e2da93dc79", "path_pattern_hash": "f6ee15dfe5cdca7ba24428fd11fa927c" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "method": "GET", "path": "\/skin\/default_1\/images\/logo.png", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "request_sample": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n", "payload_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "evidence": { "method": "GET", "path": "\/skin\/default_1\/images\/logo.png", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "request_sample": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n", "payload_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4a049b97ba4e094d9da5e70b19d94f2cfbc8d599", "protocol_details": { "http_method": "GET", "http_path": "\/skin\/default_1\/images\/logo.png", "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/skin\/default_1\/images\/logo.png", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/skin\/default_1\/images\/logo.png", "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/skin\/default_1\/images\/logo.png", "evidence_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ] }
21/06/2026 02:09:30 UTC	TCP	2051	—	Sonde port Sonde port · port 2051 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": null, "app_proto": null, "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.8, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "67ba85dd97a84ed4a907c59cb4e7a91d5e2c4523", "event_fingerprint": "9e7c5f7113bcba95d589e18d51a28b4fdd3e6754", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 2051, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "efe6ce3ab9ea99a6d48339714cb3dfce86b6197e", "protocol_details": { "port": 2051 }, "attack_vector": "Sonde port \u00b7 port 2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 2051 }, "attack_vector": "Sonde port \u00b7 port 2051 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "2051", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
21/06/2026 02:09:30 UTC	TCP	2051 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:2051 · (tentative d'exploit)	Élevée	Moyen · 44
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 228, "payload_entropy": 5.323334795469355, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0f20a4100a499536900f68fe3b29e4efb48f6740", "event_fingerprint": "512f0b26b01f77fc234e61d269f3ea3ad1d7bf46", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "537f19cd222110ff3beecb7ab27981ab", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fea23352e9c662bc633f578096739c78d79b8ca8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit)", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:2051" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 96 }
21/06/2026 02:09:30 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload ��L��,�L��lMlf-5 �z�16�Y0�1.5�V �F��l�)W��j�2�ow��^�5 J��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��L��,�L��lMlf-5�z�16�Y0�1.5�V �F��l�)W��j�2�ow��^�5 J��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��L��,�L��lMlf-5 �z�16�Y0�1.5�V �F��l�)W��j�2�ow��^�5 J��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.1039016808176845, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "4e4f32366bc4a61100a9d35ebdd3c873", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdL\ufffd\u0016\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\u000b\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\u0013\ufffd\ufffdl\ufffd)W\ufffd\u0006\u001a\ufffdj\ufffd2\ufffdo\u0015w\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdL\ufffd\u0016\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\u000b\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\u0013\ufffd\ufffdl\ufffd)W\ufffd\u0006\u001a\ufffdj\ufffd2\ufffdo\u0015w\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdL\ufffd\u0016\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\u000b\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\u0013\ufffd\ufffdl\ufffd)W\ufffd\u0006\u001a\ufffdj\ufffd2\ufffdo\u0015w\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1f6bbb535d081fd6da36b350c8918d4cb19c4d7c", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdL\ufffd\u0016\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\u000b\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\u0013\ufffd\ufffdl\ufffd)W\ufffd\u0006\u001a\ufffdj\ufffd2\ufffdo\u0015w\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdL\ufffd\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\ufffd\ufffdl\ufffd)W\ufffd\ufffdj\ufffd2\ufffdow\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdL\ufffd\u0016\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\u000b\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\u0013\ufffd\ufffdl\ufffd)W\ufffd\u0006\u001a\ufffdj\ufffd2\ufffdo\u0015w\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdL\ufffd\ufffd\ufffd,\ufffdL\ufffd\ufffdlMlf-5\ufffdz\ufffd16\ufffdY0\ufffd1.5\ufffdV \ufffdF\ufffd\ufffd\ufffd\ufffd\ufffdl\ufffd)W\ufffd\ufffdj\ufffd2\ufffdow\ufffd\ufffd^\ufffd5\rJ\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
21/06/2026 02:09:30 UTC	TCP	2051 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:2051 · (tentative d'exploit) · → /cgi-bin/param.cgi	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /cgi-bin/param.cgi UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_cgi_bin Cible HTTP GET /cgi-bin/param.cgi TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible /cgi-bin/param.cgi Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CVE-2024-8956 PTZOptics Ligne de requête `GET /cgi-bin/param.cgi HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /cgi-bin/param.cgi HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/ Requête brute (extrait) GET /cgi-bin/param.cgi HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "cgi", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "49fcaff1d04840b2dcbeade821e5fb00d229020f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.34173795956184, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 55, "tag_count": 6, "anomaly_count": 0, "campaign_key": "9b10a52f15174ef43cf66402a2cbcd5dc879a2d8", "event_fingerprint": "cfccb55451f6e29287c48dcfe8f84fbe59493d27", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0792" ], "matched_pattern_names": [ "CVE-2024-8956 PTZOptics" ], "pattern_ids": [ "pat-0792" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "5ac33062d4fd1ed4844f856817f4f8e7", "path_pattern_hash": "c17d9d1deca910691cca18621393a389" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "method": "GET", "path": "\/cgi-bin\/param.cgi", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/cgi-bin\/param.cgi HTTP\/1.1", "request_sample": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/cgi-bin\/param.cgi", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/cgi-bin\/param.cgi HTTP\/1.1", "request_sample": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "25108fa747aad13d257087a26f545d501d9c4462", "protocol_details": { "http_method": "GET", "http_path": "\/cgi-bin\/param.cgi", "request_line": "GET \/cgi-bin\/param.cgi HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "attack_vector": "config file probe \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cgi-bin\/param.cgi", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/cgi-bin\/param.cgi", "request_line": "GET \/cgi-bin\/param.cgi HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:2051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cgi-bin\/param.cgi", "evidence_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_cgi_bin", "http_sensitive_path", "iot_http_endpoint" ] }
21/06/2026 02:09:30 UTC	TCP	2051 · TLS	tls	Sonde TLS tls probe · via TLS:2051 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2051 Chemin / cible — Service TLS Payload �r\|â&p��P㤚��bԸ^t?bQ[vz�a�� ό��R�[�[�� #&}�y��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �r\|â&p��P㤚��bԸ^t?bQ[vz�a�� ό��R�[�[��#&}�y��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �r\|â&p��P㤚��bԸ^t?bQ[vz�a�� ό��R�[�[�� #&}�y��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.130273791514198, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "17ee770155de9d76eb5346fc1757085086a537cc", "event_fingerprint": "c5c75a0a199572010403dd9c168f1a64f06284e9", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "6c21cdb19b26cf2d3aae0619dfb23794", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2051, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003r\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^\u0018t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \u001b\ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\ufffd#\u0013&}\ufffdy\u001b\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003r\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^\u0018t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \u001b\ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\ufffd#\u0013&}\ufffdy\u001b\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003r\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^\u0018t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \u001b\ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\ufffd#\u0013&}\ufffdy\u001b\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5a27489384e87da81cb80977beb21b89803e746c", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003r\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^\u0018t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \u001b\ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\ufffd#\u0013&}\ufffdy\u001b\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffdr\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd#&}\ufffdy\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003r\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^\u0018t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \u001b\ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\ufffd#\u0013&}\ufffdy\u001b\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 2051, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2051 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdr\|\u00e2&p\ufffd\ufffdP\u391a\ufffd\ufffdb\u0538^t?bQ[vz\ufffda\ufffd\ufffd\ufffd\ufffd \ufffd\u03cc\ufffd\ufffd\ufffdR\ufffd[\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd#&}\ufffdy\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2051 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
21/06/2026 02:09:30 UTC	TCP	2051 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:2051 · (sonde / probe) · → /favicon.ico	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET /favicon.ico UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2051 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Sonde HTTP (tag rce-0) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ ( Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:2051 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "ea2461d2a1df1f7ccdcf0873bc1d867a49a286e5", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 239, "payload_entropy": 5.3222245905763845, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 2051, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "89a68c9fc75729cccca61086ba7dda1288bc8732", "event_fingerprint": "00b11b5cc902586c26895a74bff85382bd2ed354", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "confidence": 0.58, "classification_confidence": 0.58, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "4d68fca1c4cb5c371367849a14473d96", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 2051, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d197110594e013ea9fd5cd9ce2b53c402dfc1cf", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "attack_vector": "Sonde HTTP \u00b7 via HTTP:2051 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "classification_reason_label_fr": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2051, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 2051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:2051 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2051\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "target_port_label": "2051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:2051", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ] }
20/06/2026 04:09:44 UTC	TCP	8080 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8080 · (tentative d'exploit) · → /nobody/favicon.ico	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /nobody/favicon.ico UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /nobody/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /nobody/favicon.ico Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 51 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /nobody/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /nobody/favicon.ico HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit Requête brute (extrait) GET /nobody/favicon.ico HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600", "emulator_response_len": 130, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "99031f973e05a5223d32a653b4d8545b046e986a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.345894675116734, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f24aa19b861b9f57d88ee4561751cd3e6d0a2752", "event_fingerprint": "85ec4b90be053bdb4e2cccbaad51ade12c81241f", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "678c640c627bb22be1d7aea3b65e7ba9", "path_pattern_hash": "aed6526709a8e7eda329386724bafe99" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "method": "GET", "path": "\/nobody\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "request_sample": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "evidence": { "method": "GET", "path": "\/nobody\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "request_sample": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e8a0c23f929be531ed7e53d84ff9569f37e692bd", "protocol_details": { "http_method": "GET", "http_path": "\/nobody\/favicon.ico", "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "attack_vector": "exploit attempt \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nobody\/favicon.ico", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/nobody\/favicon.ico", "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nobody\/favicon.ico", "evidence_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
20/06/2026 04:09:44 UTC	TCP	8080 · HTTP	http	slowloris slowloris · via HTTP:8080 · (tentative d'exploit)	Élevée	Faible · 39
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole 4ǔ Émulateur HTTP WAF 10 Recommandation Surveiller Tags 950325:rce-0 950734:sap-sapcontrol-path http_no_ua net_slowloris Cible HTTP 4ǔ ?\;pa TLS SNI — Capteur paris-1
Preuve / Evidence Méthode 4ǔ Port 8080 Chemin / cible ?\;pa Service HTTP Payload ��4�ǔ��?\;��p��a� �t\| ��Sʛ��3'��c `�{\�?&��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « slowloris » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 39 Confiance : Confiance 50 % — 2 tag(s) WAF Protocole émulé 1 Signaux Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Minecraft varint handshake SIP TLS ClientHello TFTP RRQ Ligne de requête `4Ǔ ?\;pa HTTP/1.1` User-Agent — Règles WAF rce-0 sap-sapcontrol-path Payload (extrait) ��4�ǔ��?\;��p��a� �t\| ��Sʛ��3'��c`�{\�?&��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��4�ǔ��?\;��p��a� �t\| ��Sʛ��3'��c `�{\�?&��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 1, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "a32920a70853ca96bd7181174ce785c07022d07f", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u00034\u01d4", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 517, "payload_entropy": 4.076515978737347, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 8080, "risk_waf": 48, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 48, "classification": 68, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 10 }, "risk_score": 39, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f7eba828f980f4822204bf97020992955d4d4edb", "event_fingerprint": "e8b24ff8345d235812407f850c99259631f16e91", "classification_reason": "Type \u00ab slowloris \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 55, "precision_signals": [ "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0554", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "Minecraft varint handshake", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0554", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 48, "classification": 68, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 10, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "50062deb29c43aee391eae8e49702611", "path_pattern_hash": null }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 39 }, "method": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u00034\u01d4", "query_string": "\\\b;\u0015\u0001p\u0001a", "waf_tags": [ "950325:rce-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "sap-sapcontrol-path" ], "request_line": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u00034\u01d3 ?\\\b;\u0015\u0001p\u0001a HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd4\ufffd\u01d4\ufffd\u001e\ufffd\ufffd\ufffd?\\\b;\u0015\ufffd\u0001\ufffd\ufffdp\u0001\ufffd\ufffda\ufffd\n\ufffd\u0005t\| \ufffd\ufffd\ufffdS\u029b\ufffd\ufffd\ufffd\ufffd3'\ufffd\ufffdc\u0003\u000b`\ufffd{\\\ufffd?&\ufffd\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "method": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u00034\u01d4", "query_string": "\\\b;\u0015\u0001p\u0001a", "waf_tags": [ "950325:rce-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "sap-sapcontrol-path" ], "request_line": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u00034\u01d3 ?\\\b;\u0015\u0001p\u0001a HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd4\ufffd\u01d4\ufffd\u001e\ufffd\ufffd\ufffd?\\\b;\u0015\ufffd\u0001\ufffd\ufffdp\u0001\ufffd\ufffda\ufffd\n\ufffd\u0005t\| \ufffd\ufffd\ufffdS\u029b\ufffd\ufffd\ufffd\ufffd3'\ufffd\ufffdc\u0003\u000b`\ufffd{\\\ufffd?&\ufffd\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd4\ufffd\u01d4\ufffd\u001e\ufffd\ufffd\ufffd?\\\b;\u0015\ufffd\u0001\ufffd\ufffdp\u0001\ufffd\ufffda\ufffd\n\ufffd\u0005t\| \ufffd\ufffd\ufffdS\u029b\ufffd\ufffd\ufffd\ufffd3'\ufffd\ufffdc\u0003\u000b`\ufffd{\\\ufffd?&\ufffd\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab slowloris \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "890a724385ac16825b9b83a70846cfdf53f524c8", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u00034\u01d4", "request_line": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u00034\u01d3 ?\\\b;\u0015\u0001p\u0001a HTTP\/1.1", "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd4\ufffd\u01d4\ufffd\u001e\ufffd\ufffd\ufffd?\\\b;\u0015\ufffd\u0001\ufffd\ufffdp\u0001\ufffd\ufffda\ufffd\n\ufffd\u0005t\| \ufffd\ufffd\ufffdS\u029b\ufffd\ufffd\ufffd\ufffd3'\ufffd\ufffdc\u0003\u000b`\ufffd{\\\ufffd?&\ufffd\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffd4\ufffd\u01d4\ufffd\ufffd\ufffd\ufffd?\\;\ufffd\ufffd\ufffdp\ufffd\ufffda\ufffd\n\ufffdt\| \ufffd\ufffd\ufffdS\u029b\ufffd\ufffd\ufffd\ufffd3'\ufffd\ufffdc`\ufffd{\\\ufffd?&\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "slowloris \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab slowloris \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab slowloris \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 39\/100 (Faible) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 48, "classification": 68, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 10, "risk_score": 39 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 39, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Upstream", "Waf Score" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u00034\u01d4", "request_line": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u00034\u01d3 ?\\\b;\u0015\u0001p\u0001a HTTP\/1.1", "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd4\ufffd\u01d4\ufffd\u001e\ufffd\ufffd\ufffd?\\\b;\u0015\ufffd\u0001\ufffd\ufffdp\u0001\ufffd\ufffda\ufffd\n\ufffd\u0005t\| \ufffd\ufffd\ufffdS\u029b\ufffd\ufffd\ufffd\ufffd3'\ufffd\ufffdc\u0003\u000b`\ufffd{\\\ufffd?&\ufffd\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "slowloris \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "evidence_snippet": "\ufffd\ufffd4\ufffd\u01d4\ufffd\ufffd\ufffd\ufffd?\\;\ufffd\ufffd\ufffdp\ufffd\ufffda\ufffd\n\ufffdt\| \ufffd\ufffd\ufffdS\u029b\ufffd\ufffd\ufffd\ufffd3'\ufffd\ufffdc`\ufffd{\\\ufffd?&\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 48 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950325:rce-0", "950734:sap-sapcontrol-path", "http_no_ua", "net_slowloris", "net_web_probe" ] }
20/06/2026 04:09:44 UTC	TCP	8080 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8080 · (tentative d'exploit) · → /skin/default_1/images/logo.png	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /skin/default_1/images/logo.png UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /skin/default_1/images/logo.png TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /skin/default_1/images/logo.png Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 51 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /skin/default_1/images/logo.png HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /skin/default_1/images/logo.png HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) Requête brute (extrait) GET /skin/default_1/images/logo.png HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "png", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "893121d0eb67a0f333f42554a8794cc9f4cb2cfc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.377397645435413, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f24aa19b861b9f57d88ee4561751cd3e6d0a2752", "event_fingerprint": "fdac0ade9bcc767f45d3367f2f08aa618aa2003c", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "5862568a6187555c8910d1b9d0bce7c0", "path_pattern_hash": "f6ee15dfe5cdca7ba24428fd11fa927c" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "method": "GET", "path": "\/skin\/default_1\/images\/logo.png", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "request_sample": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n", "payload_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "evidence": { "method": "GET", "path": "\/skin\/default_1\/images\/logo.png", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "request_sample": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n", "payload_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0dc48fc4d7dec9a94bfd4e29e88d322b0ca82aaf", "protocol_details": { "http_method": "GET", "http_path": "\/skin\/default_1\/images\/logo.png", "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "attack_vector": "exploit attempt \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/skin\/default_1\/images\/logo.png", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/skin\/default_1\/images\/logo.png", "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/skin\/default_1\/images\/logo.png", "evidence_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
20/06/2026 04:09:43 UTC	TCP	8080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8080 · (tentative d'exploit) · → /cgi-bin/param.cgi	Élevée	Moyen · 58
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /cgi-bin/param.cgi UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_cgi_bin Cible HTTP GET /cgi-bin/param.cgi TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /cgi-bin/param.cgi Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 58 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CVE-2024-8956 PTZOptics Ligne de requête `GET /cgi-bin/param.cgi HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /cgi-bin/param.cgi HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/ Requête brute (extrait) GET /cgi-bin/param.cgi HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "cgi", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "49fcaff1d04840b2dcbeade821e5fb00d229020f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.361553277816017, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 58, "tag_count": 7, "anomaly_count": 0, "campaign_key": "cadf4c20d3f215380fa8aca05628af8121d66068", "event_fingerprint": "d5ff6e6e04a188022e535592c9450f5535d158f2", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0792" ], "matched_pattern_names": [ "CVE-2024-8956 PTZOptics" ], "pattern_ids": [ "pat-0792" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "a5f31046097eeeade42a1fe4688f1977", "path_pattern_hash": "c17d9d1deca910691cca18621393a389" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "method": "GET", "path": "\/cgi-bin\/param.cgi", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/cgi-bin\/param.cgi HTTP\/1.1", "request_sample": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/cgi-bin\/param.cgi", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/cgi-bin\/param.cgi HTTP\/1.1", "request_sample": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3dedab8d08b977b69a84696b90e7502d38c43285", "protocol_details": { "http_method": "GET", "http_path": "\/cgi-bin\/param.cgi", "request_line": "GET \/cgi-bin\/param.cgi HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cgi-bin\/param.cgi", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 58 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 58, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/cgi-bin\/param.cgi", "request_line": "GET \/cgi-bin\/param.cgi HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cgi-bin\/param.cgi", "evidence_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_cgi_bin", "http_sensitive_path", "iot_http_endpoint", "net_web_probe" ] }
20/06/2026 04:09:43 UTC	TCP	8080 · HTTP	http	minecraft probe minecraft probe · via HTTP:8080 · (sonde / probe) · → &>@	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole _MH &>@ Émulateur HTTP WAF 7 Recommandation Surveiller Tags 950324:rce-0 http_no_ua net_web_probe Cible HTTP _MH &>@ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode _MH Port 8080 Chemin / cible &>@ Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé · 1 tag(s) WAF Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake SIP TLS ClientHello TFTP RRQ Ligne de requête `_MH &>@ HTTP/1.1` User-Agent — Règles WAF rce-0 Payload (extrait) ��_�MH��&>@�"��pG��[�� T\��w�D�\|��Flw1N�?��Z�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��_�MH�� &>@ �"��pG��[�� T\��w�D�\|��Flw1N�?��Z�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "c2d03728d5108e72717529413620cc9438c2cd57", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u0003_MH\u0004\u0018", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 517, "payload_entropy": 4.15916031438895, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 8080, "risk_waf": 36, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 36, "classification": 48, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f074606b922ffbc0a44e87add047c495b93d5345", "event_fingerprint": "93fa2f8f035f3b9c91ee5986837e3cbf6ef41ea7", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "Minecraft varint handshake", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0554", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 36, "classification": 48, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "08924bee97651dfcbfb9380afd3fb340", "path_pattern_hash": "26fb1f0c9d3bfa72facaa0e555667f07" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 45 }, "method": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u0003_MH\u0004\u0018", "path": "\u0018&>@", "waf_tags": [ "950324:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u0003_MH\u0004\u0018 \u0018&>@ HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd_\ufffdMH\ufffd\u0004\u0018\ufffd\f\ufffd\ufffd\u0018&>@\f\ufffd\"\ufffd\ufffdpG\ufffd\ufffd\ufffd[\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\\\ufffd\ufffd\ufffdw\ufffdD\ufffd\|\ufffd\ufffdFlw1N\ufffd\u0019?\ufffd\ufffdZ\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "method": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u0003_MH\u0004\u0018", "path": "\u0018&>@", "waf_tags": [ "950324:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u0003_MH\u0004\u0018 \u0018&>@ HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd_\ufffdMH\ufffd\u0004\u0018\ufffd\f\ufffd\ufffd\u0018&>@\f\ufffd\"\ufffd\ufffdpG\ufffd\ufffd\ufffd[\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\\\ufffd\ufffd\ufffdw\ufffdD\ufffd\|\ufffd\ufffdFlw1N\ufffd\u0019?\ufffd\ufffdZ\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd_\ufffdMH\ufffd\u0004\u0018\ufffd\f\ufffd\ufffd\u0018&>@\f\ufffd\"\ufffd\ufffdpG\ufffd\ufffd\ufffd[\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\\\ufffd\ufffd\ufffdw\ufffdD\ufffd\|\ufffd\ufffdFlw1N\ufffd\u0019?\ufffd\ufffdZ\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf7775d8fac77a1c59d77ed77d554024d06983a0", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u0003_MH\u0004\u0018", "http_path": "\u0018&>@", "request_line": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u0003_MH\u0004\u0018 \u0018&>@ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd_\ufffdMH\ufffd\ufffd\ufffd\ufffd&>@\ufffd\"\ufffd\ufffdpG\ufffd\ufffd\ufffd[\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\\\ufffd\ufffd\ufffdw\ufffdD\ufffd\|\ufffd\ufffdFlw1N\ufffd?\ufffd\ufffdZ\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "minecraft probe \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \u0018&>@", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 36, "classification": 48, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u0003_MH\u0004\u0018", "http_path": "\u0018&>@", "request_line": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\u0003\u0003_MH\u0004\u0018 \u0018&>@ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \u0018&>@", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd_\ufffdMH\ufffd\ufffd\ufffd\ufffd&>@\ufffd\"\ufffd\ufffdpG\ufffd\ufffd\ufffd[\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\\\ufffd\ufffd\ufffdw\ufffdD\ufffd\|\ufffd\ufffdFlw1N\ufffd?\ufffd\ufffdZ\ufffd*>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 36 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "950324:rce-0", "http_no_ua", "net_web_probe" ] }
20/06/2026 04:09:43 UTC	TCP	8080 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8080 · (sonde / probe) · → /favicon.ico	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /favicon.ico UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Sonde HTTP (tag rce-0) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 42 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ ( Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600", "emulator_response_len": 130, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 239, "payload_entropy": 5.34253736451895, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "57f088a40ee12788bdcf96d0d3ffc1707c32a99e", "event_fingerprint": "f0c7540ae94dd06ee97286c4e47f9e7d5346b40e", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "0b6cf0496dfaf902355ac2fac19cb09e", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "67c4ac51110f4de9f44ce6d59dcdc3934aa69c6d", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "classification_reason_label_fr": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
20/06/2026 04:09:43 UTC	TCP	8080 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8080 · (tentative d'exploit) · → /image/lgbg.jpg	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /image/lgbg.jpg UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /image/lgbg.jpg TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /image/lgbg.jpg Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 51 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /image/lgbg.jpg HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /image/lgbg.jpg HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532 Requête brute (extrait) GET /image/lgbg.jpg HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "jpg", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "2dd31a361729c174218c8a0a20c0e5c1f46a52e7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.386075896055113, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f24aa19b861b9f57d88ee4561751cd3e6d0a2752", "event_fingerprint": "2ec7b3b64c67a70979cc52cc9dc918a1bd743bd0", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "18e9edebba3b97df47f713bc8d16a176", "path_pattern_hash": "27ca7de15d9e41dae8afc854797a412b" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "method": "GET", "path": "\/image\/lgbg.jpg", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "request_sample": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "evidence": { "method": "GET", "path": "\/image\/lgbg.jpg", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "request_sample": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5197a01bca3228bed93477bd4df803fea82c0049", "protocol_details": { "http_method": "GET", "http_path": "\/image\/lgbg.jpg", "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "attack_vector": "exploit attempt \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/image\/lgbg.jpg", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/image\/lgbg.jpg", "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/image\/lgbg.jpg", "evidence_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
20/06/2026 04:09:43 UTC	TCP	8080 · HTTP	http	jenkins probe jenkins probe · via HTTP:8080 · (sonde / probe) · → /login.rsp	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /login.rsp UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /login.rsp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /login.rsp Service HTTP Pourquoi cette classification : Type « jenkins_probe » (signaux protocolaires) · confiance 47% Confiance classification 47% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 47 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux Cicd Jenkins Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /login.rsp HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /login.rsp HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KH Requête brute (extrait) GET /login.rsp HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "rsp", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "577c7c6e9f07414bab1843cc24ba57c57365c8d9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.3377902553782635, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "57f088a40ee12788bdcf96d0d3ffc1707c32a99e", "event_fingerprint": "43fbf85397ca68f7abd4c7efc3f68377d0c1b191", "classification_reason": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "confidence": 0.47, "classification_confidence": 0.47, "precision_score": 56, "precision_signals": [ "INT-cicd-jenkins" ], "kb_rule_ids": [ "INT-cicd-jenkins" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 47, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "4a304c30d802d2038c0a26faefa95fe3", "path_pattern_hash": "4586a3f595a38eb868be9c94ceb03915" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "method": "GET", "path": "\/login.rsp", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/login.rsp HTTP\/1.1", "request_sample": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "evidence": { "method": "GET", "path": "\/login.rsp", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/login.rsp HTTP\/1.1", "request_sample": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "classification_reason": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4d521d37dcaab07aabdb23274a259f114e6fb5de", "protocol_details": { "http_method": "GET", "http_path": "\/login.rsp", "request_line": "GET \/login.rsp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "attack_vector": "jenkins probe \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/login.rsp", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "classification_reason_label_fr": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 47, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "INT-cicd-jenkins" ], "tags_summary_labels_fr": [ "Cicd Jenkins" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/login.rsp", "request_line": "GET \/login.rsp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "jenkins probe \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/login.rsp", "evidence_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
20/06/2026 04:09:42 UTC	TCP	8080 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8080 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP WAF — Recommandation Surveiller Tags http_alt_8080 http_alt_port net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8080 Chemin / cible — Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 74% Confiance classification 74% Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 8080, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "986800c5ad65e75d541a277e48953dacf3f318da", "event_fingerprint": "5afc6680f618e490dc22cb875ac6d45b5c7d65ea", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "http", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "945d6c54aac35f31bab6fba8d81332256826a36c", "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 74, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 74 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_8080", "http_alt_port", "net_web_probe" ] }
20/06/2026 04:09:42 UTC	TCP	8080 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8080 · (tentative d'exploit)	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 228, "payload_entropy": 5.344627571663537, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 8080, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "075e5345953235ea967a2535172cf98d1d3d388a", "event_fingerprint": "c4a5ea58b3d2b0d9f787b32d70530d766cc70177", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "837b422f3711d0b7024eb764f44848aa", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cabf10b780ff13c0523a1f4e346d4325c62e7ff2", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "attack_vector": "exploit attempt \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 96 }
20/06/2026 01:19:24 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated http_get_probe mozi_pattern net_cassandra_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload GET /image/lgbg.jpg HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532 Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /image/lgbg.jpg HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532 Requête brute (extrait) GET /image/lgbg.jpg HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 242, "payload_entropy": 5.377225857005211, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9af8e61ef8693591e01ecf481399aa2f40e5f5d2", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "cassandra-jmx", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1ca18106549bd2f2002782b6a1b352bf", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 34 }, "payload_preview": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "request_sample": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "evidence": { "request_sample": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2a0effb0331ac730a009805dbab87912ac7bcf55", "protocol_details": { "payload_preview": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "http_get_probe", "mozi_pattern", "net_cassandra_probe" ] }
20/06/2026 01:19:24 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated net_cassandra_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload ��G0 >Y�� %�m�,��2�� ; Qg��\�XH�э�,M>V#��d��b�0�Y>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��G0 >Y�� %�m�,��2�� ; Qg��\�XH�э�,M>V#��d��b�0�Y>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��G0 >Y�� %�m�,��2�� ; Qg��\�XH�э�,M>V#��d��b�0�Y>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 517, "payload_entropy": 4.110340624635949, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6a68dd2ceaa4aea89c41affaca7dcccdf8010026", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "service_name": "cassandra-jmx", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b5cc03ecfee88beedc815b1358ea2b11", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG0\r\u001c\u001b>Y\ufffd\u0002\ufffd\ufffd\ufffd\t%\ufffd\u0012m\ufffd,\ufffd\b\ufffd2\ufffd\ufffd\n\ufffd\ufffd\t\ufffd; Qg\ufffd\ufffd\\\ufffdXH\ufffd\u0007\u044d\ufffd,M\u0019>V#\ufffd\ufffd\ufffdd\u001a\ufffd\ufffdb\ufffd0\u0017\ufffdY\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG0\r\u001c\u001b>Y\ufffd\u0002\ufffd\ufffd\ufffd\t%\ufffd\u0012m\ufffd,\ufffd\b\ufffd2\ufffd\ufffd\n\ufffd\ufffd\t\ufffd; Qg\ufffd\ufffd\\\ufffdXH\ufffd\u0007\u044d\ufffd,M\u0019>V#\ufffd\ufffd\ufffdd\u001a\ufffd\ufffdb\ufffd0\u0017\ufffdY\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG0\r\u001c\u001b>Y\ufffd\u0002\ufffd\ufffd\ufffd\t%\ufffd\u0012m\ufffd,\ufffd\b\ufffd2\ufffd\ufffd\n\ufffd\ufffd\t\ufffd; Qg\ufffd\ufffd\\\ufffdXH\ufffd\u0007\u044d\ufffd,M\u0019>V#\ufffd\ufffd\ufffdd\u001a\ufffd\ufffdb\ufffd0\u0017\ufffdY\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a07e07fa5a50575165473c4c017c2a7fb02c98af", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG0\r\u001c\u001b>Y\ufffd\u0002\ufffd\ufffd\ufffd\t%\ufffd\u0012m\ufffd,\ufffd\b\ufffd2\ufffd\ufffd\n\ufffd\ufffd\t\ufffd; Qg\ufffd\ufffd\\\ufffdXH\ufffd\u0007\u044d\ufffd,M\u0019>V#\ufffd\ufffd\ufffdd\u001a\ufffd\ufffdb\ufffd0\u0017\ufffdY\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "\ufffd\ufffdG0\r>Y\ufffd\ufffd\ufffd\ufffd\t%\ufffdm\ufffd,\ufffd\ufffd2\ufffd\ufffd\n\ufffd\ufffd\t\ufffd; Qg\ufffd\ufffd\\\ufffdXH\ufffd\u044d\ufffd,M>V#\ufffd\ufffd\ufffdd\ufffd\ufffdb\ufffd0\ufffdY>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG0\r\u001c\u001b>Y\ufffd\u0002\ufffd\ufffd\ufffd\t%\ufffd\u0012m\ufffd,\ufffd\b\ufffd2\ufffd\ufffd\n\ufffd\ufffd\t\ufffd; Qg\ufffd\ufffd\\\ufffdXH\ufffd\u0007\u044d\ufffd,M\u0019>V#\ufffd\ufffd\ufffdd\u001a\ufffd\ufffdb\ufffd0\u0017\ufffdY\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdG0\r>Y\ufffd\ufffd\ufffd\ufffd\t%\ufffdm\ufffd,\ufffd\ufffd2\ufffd\ufffd\n\ufffd\ufffd\t\ufffd; Qg\ufffd\ufffd\\\ufffdXH\ufffd\u044d\ufffd,M>V#\ufffd\ufffd\ufffdd\ufffd\ufffdb\ufffd0\ufffdY>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "net_cassandra_probe", "tls_clienthello" ] }
20/06/2026 01:19:24 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	imap bruteforce imap bruteforce · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1110 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated http_get_probe imap_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload GET /login.rsp HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KH Pourquoi cette classification : Type « imap_bruteforce » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 49 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux Email Imap Login Technique MITRE T1110 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /login.rsp HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KH Requête brute (extrait) GET /login.rsp HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 237, "payload_entropy": 5.328753506643764, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 66, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 66, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "066b6542031c0ad851f5eeff5726475ce4f72ab2", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_reason": "Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 76, "precision_signals": [ "INT-EMAIL-imap-login" ], "kb_rule_ids": [ "INT-EMAIL-imap-login" ], "confidence_breakdown": { "waf": 8, "classification": 66, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "cassandra-jmx", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "eba29659d6af069af8c8ec1cbbf4e134", "path_pattern_hash": "d01bbf3f52d5029936b2dffb0f5e856f" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 49 }, "payload_preview": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "request_sample": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "evidence": { "request_sample": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "classification_reason": "Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1110" ], "mitre": "T1110", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "139d2b4f244bb7ef163f7feb06a72db981a7a913", "protocol_details": { "payload_preview": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "attack_vector": "imap bruteforce \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 66, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": [ "INT-EMAIL-imap-login" ], "tags_summary_labels_fr": [ "Email Imap Login" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1110", "mitre_technique": "T1110", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "imap bruteforce \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "http_get_probe", "imap_probe", "mozi_pattern", "net_cassandra_probe" ] }
20/06/2026 01:19:24 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated net_cassandra_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload ��cؒ��$�;��G�[��1vU�� N��J��oE˽I;/�1߀}1pv�`�F'� Ih�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��cؒ��$�;��G�[��1vU�� N��J��oE˽I;/�1߀}1pv�`�F'� Ih�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��cؒ��$�;��G�[��1vU�� N��J��oE˽I;/�1߀}1pv�`�F'� Ih�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 517, "payload_entropy": 4.0857701817513465, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6a68dd2ceaa4aea89c41affaca7dcccdf8010026", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "service_name": "cassandra-jmx", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "aa7572378380aaefa7b92360546797de", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u001f\ufffd\ufffdc\u0612\b\ufffd\ufffd\ufffd\u0015$\ufffd;\ufffd\ufffdG\ufffd[\ufffd\ufffd\u0014\ufffd\ufffd\ufffd1\u0006vU\ufffd\ufffd N\ufffd\ufffdJ\ufffd\ufffdoE\u02fdI;\/\ufffd1\u07c0}1pv\ufffd`\ufffdF'\ufffd\nI\u0004h\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u001f\ufffd\ufffdc\u0612\b\ufffd\ufffd\ufffd\u0015$\ufffd;\ufffd\ufffdG\ufffd[\ufffd\ufffd\u0014\ufffd\ufffd\ufffd1\u0006vU\ufffd\ufffd N\ufffd\ufffdJ\ufffd\ufffdoE\u02fdI;\/\ufffd1\u07c0}1pv\ufffd`\ufffdF'\ufffd\nI\u0004h\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u001f\ufffd\ufffdc\u0612\b\ufffd\ufffd\ufffd\u0015$\ufffd;\ufffd\ufffdG\ufffd[\ufffd\ufffd\u0014\ufffd\ufffd\ufffd1\u0006vU\ufffd\ufffd N\ufffd\ufffdJ\ufffd\ufffdoE\u02fdI;\/\ufffd1\u07c0}1pv\ufffd`\ufffdF'\ufffd\nI\u0004h\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9b509c9dfb25a52477cd8d7437422bb7371b305f", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u001f\ufffd\ufffdc\u0612\b\ufffd\ufffd\ufffd\u0015$\ufffd;\ufffd\ufffdG\ufffd[\ufffd\ufffd\u0014\ufffd\ufffd\ufffd1\u0006vU\ufffd\ufffd N\ufffd\ufffdJ\ufffd\ufffdoE\u02fdI;\/\ufffd1\u07c0}1pv\ufffd`\ufffdF'\ufffd\nI\u0004h\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdc\u0612\ufffd\ufffd\ufffd$\ufffd;\ufffd\ufffdG\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd1vU\ufffd\ufffd N\ufffd\ufffdJ\ufffd\ufffdoE\u02fdI;\/\ufffd1\u07c0}1pv\ufffd`\ufffdF'\ufffd\nIh\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u001f\ufffd\ufffdc\u0612\b\ufffd\ufffd\ufffd\u0015$\ufffd;\ufffd\ufffdG\ufffd[\ufffd\ufffd\u0014\ufffd\ufffd\ufffd1\u0006vU\ufffd\ufffd N\ufffd\ufffdJ\ufffd\ufffdoE\u02fdI;\/\ufffd1\u07c0}1pv\ufffd`\ufffdF'\ufffd\nI\u0004h\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdc\u0612\ufffd\ufffd\ufffd$\ufffd;\ufffd\ufffdG\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd1vU\ufffd\ufffd N\ufffd\ufffdJ\ufffd\ufffdoE\u02fdI;\/\ufffd1\u07c0}1pv\ufffd`\ufffdF'\ufffd\nIh\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "net_cassandra_probe", "tls_clienthello" ] }
20/06/2026 01:19:24 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated http_get_probe mozi_pattern net_cassandra_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload GET /nobody/favicon.ico HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /nobody/favicon.ico HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit Requête brute (extrait) GET /nobody/favicon.ico HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 246, "payload_entropy": 5.337188539140814, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9af8e61ef8693591e01ecf481399aa2f40e5f5d2", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "cassandra-jmx", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "56e845080d1bf021bc8a7b50514bb1d0", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 34 }, "payload_preview": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "request_sample": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "evidence": { "request_sample": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "84c4ca8832165e851629cb16a805f323a87db03f", "protocol_details": { "payload_preview": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "http_get_probe", "mozi_pattern", "net_cassandra_probe" ] }
20/06/2026 01:19:24 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated net_cassandra_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload ��w��&Q��gZ��Qz�؏�� WdA��[ ��H�p��}y�#��K�y�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��w��&Q��gZ��Qz�؏�� WdA��[ ��H�p��}y�#��K�y�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��w��&Q��gZ��Qz�؏�� WdA��[ ��H�p��}y�#��K�y�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 517, "payload_entropy": 4.155224272021754, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6a68dd2ceaa4aea89c41affaca7dcccdf8010026", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "service_name": "cassandra-jmx", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5291780e6ead8237af4be8bc5ac23d6b", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u000f\ufffd\u0017\ufffdw\ufffd\ufffd\ufffd\u0016\ufffd\ufffd\ufffd&Q\u000f\ufffd\ufffdgZ\ufffd\ufffd\ufffd\ufffdQz\ufffd\u060f\ufffd\ufffd WdA\ufffd\u0006\ufffd\ufffd\ufffd\ufffd[\r\ufffd\ufffdH\ufffdp\ufffd\ufffd}\u000fy\ufffd#\ufffd\u001a\ufffd\ufffdK\ufffdy\u0007\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u000f\ufffd\u0017\ufffdw\ufffd\ufffd\ufffd\u0016\ufffd\ufffd\ufffd&Q\u000f\ufffd\ufffdgZ\ufffd\ufffd\ufffd\ufffdQz\ufffd\u060f\ufffd\ufffd WdA\ufffd\u0006\ufffd\ufffd\ufffd\ufffd[\r\ufffd\ufffdH\ufffdp\ufffd\ufffd}\u000fy\ufffd#\ufffd\u001a\ufffd\ufffdK\ufffdy\u0007\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u000f\ufffd\u0017\ufffdw\ufffd\ufffd\ufffd\u0016\ufffd\ufffd\ufffd&Q\u000f\ufffd\ufffdgZ\ufffd\ufffd\ufffd\ufffdQz\ufffd\u060f\ufffd\ufffd WdA\ufffd\u0006\ufffd\ufffd\ufffd\ufffd[\r\ufffd\ufffdH\ufffdp\ufffd\ufffd}\u000fy\ufffd#\ufffd\u001a\ufffd\ufffdK\ufffdy\u0007\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8e10f980f332b9ea56ac272ad7de2ca452277411", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u000f\ufffd\u0017\ufffdw\ufffd\ufffd\ufffd\u0016\ufffd\ufffd\ufffd&Q\u000f\ufffd\ufffdgZ\ufffd\ufffd\ufffd\ufffdQz\ufffd\u060f\ufffd\ufffd WdA\ufffd\u0006\ufffd\ufffd\ufffd\ufffd[\r\ufffd\ufffdH\ufffdp\ufffd\ufffd}\u000fy\ufffd#\ufffd\u001a\ufffd\ufffdK\ufffdy\u0007\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd&Q\ufffd\ufffdgZ\ufffd\ufffd\ufffd\ufffdQz\ufffd\u060f\ufffd\ufffd WdA\ufffd\ufffd\ufffd\ufffd\ufffd[\r\ufffd\ufffdH\ufffdp\ufffd\ufffd}y\ufffd#\ufffd\ufffd\ufffdK\ufffdy\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u000f\ufffd\u0017\ufffdw\ufffd\ufffd\ufffd\u0016\ufffd\ufffd\ufffd&Q\u000f\ufffd\ufffdgZ\ufffd\ufffd\ufffd\ufffdQz\ufffd\u060f\ufffd\ufffd WdA\ufffd\u0006\ufffd\ufffd\ufffd\ufffd[\r\ufffd\ufffdH\ufffdp\ufffd\ufffd}\u000fy\ufffd#\ufffd\u001a\ufffd\ufffdK\ufffdy\u0007\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd&Q\ufffd\ufffdgZ\ufffd\ufffd\ufffd\ufffdQz\ufffd\u060f\ufffd\ufffd WdA\ufffd\ufffd\ufffd\ufffd\ufffd[\r\ufffd\ufffdH\ufffdp\ufffd\ufffd}y\ufffd#\ufffd\ufffd\ufffdK\ufffdy\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "net_cassandra_probe", "tls_clienthello" ] }
20/06/2026 01:19:24 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated http_get_probe mozi_pattern net_cassandra_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload GET /skin/default_1/images/logo.png HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /skin/default_1/images/logo.png HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) Requête brute (extrait) GET /skin/default_1/images/logo.png HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 258, "payload_entropy": 5.3690964460165125, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9af8e61ef8693591e01ecf481399aa2f40e5f5d2", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "cassandra-jmx", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "46d5b74ecafa38e856e4214cec4cb439", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 34 }, "payload_preview": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "request_sample": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n", "payload_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "evidence": { "request_sample": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n", "payload_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "72d0a34755727f6efbe38fdfe2ec56105b4c6e8f", "protocol_details": { "payload_preview": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "http_get_probe", "mozi_pattern", "net_cassandra_probe" ] }
20/06/2026 01:19:24 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated net_cassandra_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload ��ݏ��-�7��TQ��9�uLE�mY�.fTb �(uH�;Fu%�z�=�.5g2�i��e��&�n:>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��ݏ��-�7��TQ��9�uLE�mY�.fTb �(uH�;Fu%�z�=�.5g2�i��e��&�n:>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��ݏ��-�7��TQ��9�uLE�mY�.fTb �(uH�;Fu%�z�=�.5g2�i��e��&�n:>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 517, "payload_entropy": 4.111998987419717, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6a68dd2ceaa4aea89c41affaca7dcccdf8010026", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "service_name": "cassandra-jmx", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "72fc10ddbd59eb1b8e4b90bb878f61ba", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u074f\ufffd\ufffd\ufffd-\ufffd7\ufffd\ufffdTQ\ufffd\ufffd\u0012\ufffd9\ufffduLE\ufffdmY\ufffd.fT\u0003b \ufffd(uH\u0002\ufffd;Fu%\ufffdz\ufffd=\ufffd.5g2\ufffdi\ufffd\ufffde\ufffd\ufffd&\ufffdn:\u001f\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u074f\ufffd\ufffd\ufffd-\ufffd7\ufffd\ufffdTQ\ufffd\ufffd\u0012\ufffd9\ufffduLE\ufffdmY\ufffd.fT\u0003b \ufffd(uH\u0002\ufffd;Fu%\ufffdz\ufffd=\ufffd.5g2\ufffdi\ufffd\ufffde\ufffd\ufffd&\ufffdn:\u001f\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u074f\ufffd\ufffd\ufffd-\ufffd7\ufffd\ufffdTQ\ufffd\ufffd\u0012\ufffd9\ufffduLE\ufffdmY\ufffd.fT\u0003b \ufffd(uH\u0002\ufffd;Fu%\ufffdz\ufffd=\ufffd.5g2\ufffdi\ufffd\ufffde\ufffd\ufffd&\ufffdn:\u001f\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d8813f547ecbc379cb19d41f9871055defdf1b37", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u074f\ufffd\ufffd\ufffd-\ufffd7\ufffd\ufffdTQ\ufffd\ufffd\u0012\ufffd9\ufffduLE\ufffdmY\ufffd.fT\u0003b \ufffd(uH\u0002\ufffd;Fu%\ufffdz\ufffd=\ufffd.5g2\ufffdi\ufffd\ufffde\ufffd\ufffd&\ufffdn:\u001f\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "\ufffd\ufffd\u074f\ufffd\ufffd\ufffd-\ufffd7\ufffd\ufffdTQ\ufffd\ufffd\ufffd9\ufffduLE\ufffdmY\ufffd.fTb \ufffd(uH\ufffd;Fu%\ufffdz\ufffd=\ufffd.5g2\ufffdi\ufffd\ufffde\ufffd\ufffd&\ufffdn:>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u074f\ufffd\ufffd\ufffd-\ufffd7\ufffd\ufffdTQ\ufffd\ufffd\u0012\ufffd9\ufffduLE\ufffdmY\ufffd.fT\u0003b \ufffd(uH\u0002\ufffd;Fu%\ufffdz\ufffd=\ufffd.5g2\ufffdi\ufffd\ufffde\ufffd\ufffd&\ufffdn:\u001f\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\u074f\ufffd\ufffd\ufffd-\ufffd7\ufffd\ufffdTQ\ufffd\ufffd\ufffd9\ufffduLE\ufffdmY\ufffd.fTb \ufffd(uH\ufffd;Fu%\ufffdz\ufffd=\ufffd.5g2\ufffdi\ufffd\ufffde\ufffd\ufffd&\ufffdn:>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "net_cassandra_probe", "tls_clienthello" ] }
20/06/2026 01:19:23 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated net_cassandra_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 34, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0f2b3f688e52b847eec81bfc3a7ca929d263c647", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "cassandra-jmx", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 34 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5a8e77f85013084f1d7f610baac29bf346ce744e", "protocol_details": { "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "net_cassandra_probe" ] }
20/06/2026 01:19:23 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated http_get_probe mozi_pattern net_cassandra_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload GET / HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 228, "payload_entropy": 5.335234109163203, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9af8e61ef8693591e01ecf481399aa2f40e5f5d2", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "cassandra-jmx", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ae6d603b723c4dc8ad454dd915c20d15", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 34 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7adb663adaf2728dfb12b98bd9e1b4595e592c66", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "http_get_probe", "mozi_pattern", "net_cassandra_probe" ] }
20/06/2026 01:19:23 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated net_cassandra_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload ��+�<�"��-�q��%. G`}��{3�n �0̲uü7��#g��W4-�\<ֽ��K�@�Q>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��+�<�"��-�q��%. G`}��{3�n �0̲uü7��#g��W4-�\<ֽ��K�@�Q>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��+�<�"��-�q��%. G`}��{3�n �0̲uü7��#g��W4-�\<ֽ��K�@�Q>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 517, "payload_entropy": 4.110344619714585, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6a68dd2ceaa4aea89c41affaca7dcccdf8010026", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "service_name": "cassandra-jmx", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e739e860cee1b3641b32147c895b4174", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd+\ufffd<\u0014\ufffd\"\ufffd\u001f\ufffd-\ufffdq\ufffd\ufffd%.\rG\u0001\u0016`}\ufffd\ufffd\ufffd\u0017{3\ufffd\u000fn \ufffd0\u0332u\u00fc7\ufffd\ufffd\ufffd#g\ufffd\ufffdW4-\ufffd\\<\u05bd\ufffd\ufffdK\ufffd@\ufffdQ\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd+\ufffd<\u0014\ufffd\"\ufffd\u001f\ufffd-\ufffdq\ufffd\ufffd%.\rG\u0001\u0016`}\ufffd\ufffd\ufffd\u0017{3\ufffd\u000fn \ufffd0\u0332u\u00fc7\ufffd\ufffd\ufffd#g\ufffd\ufffdW4-\ufffd\\<\u05bd\ufffd\ufffdK\ufffd@\ufffdQ\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd+\ufffd<\u0014\ufffd\"\ufffd\u001f\ufffd-\ufffdq\ufffd\ufffd%.\rG\u0001\u0016`}\ufffd\ufffd\ufffd\u0017{3\ufffd\u000fn \ufffd0\u0332u\u00fc7\ufffd\ufffd\ufffd#g\ufffd\ufffdW4-\ufffd\\<\u05bd\ufffd\ufffdK\ufffd@\ufffdQ\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f78c9a36538df74aa8a1404a3271ae7e912ecfee", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd+\ufffd<\u0014\ufffd\"\ufffd\u001f\ufffd-\ufffdq\ufffd\ufffd%.\rG\u0001\u0016`}\ufffd\ufffd\ufffd\u0017{3\ufffd\u000fn \ufffd0\u0332u\u00fc7\ufffd\ufffd\ufffd#g\ufffd\ufffdW4-\ufffd\\<\u05bd\ufffd\ufffdK\ufffd@\ufffdQ\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "\ufffd\ufffd+\ufffd<\ufffd\"\ufffd\ufffd-\ufffdq\ufffd\ufffd%.\rG`}\ufffd\ufffd\ufffd{3\ufffdn \ufffd0\u0332u\u00fc7\ufffd\ufffd\ufffd#g\ufffd\ufffdW4-\ufffd\\<\u05bd\ufffd\ufffdK\ufffd@\ufffdQ>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd+\ufffd<\u0014\ufffd\"\ufffd\u001f\ufffd-\ufffdq\ufffd\ufffd%.\rG\u0001\u0016`}\ufffd\ufffd\ufffd\u0017{3\ufffd\u000fn \ufffd0\u0332u\u00fc7\ufffd\ufffd\ufffd#g\ufffd\ufffdW4-\ufffd\\<\u05bd\ufffd\ufffdK\ufffd@\ufffdQ\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd+\ufffd<\ufffd\"\ufffd\ufffd-\ufffdq\ufffd\ufffd%.\rG`}\ufffd\ufffd\ufffd{3\ufffdn \ufffd0\u0332u\u00fc7\ufffd\ufffd\ufffd#g\ufffd\ufffdW4-\ufffd\\<\u05bd\ufffd\ufffdK\ufffd@\ufffdQ>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "net_cassandra_probe", "tls_clienthello" ] }
20/06/2026 01:19:23 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated http_get_probe mozi_pattern net_cassandra_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload GET /cgi-bin/param.cgi HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/ Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /cgi-bin/param.cgi HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/ Requête brute (extrait) GET /cgi-bin/param.cgi HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 245, "payload_entropy": 5.3528116065912155, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9af8e61ef8693591e01ecf481399aa2f40e5f5d2", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "cassandra-jmx", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e3b424da7fb6a06de465387764b8d06e", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 34 }, "payload_preview": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "request_sample": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "evidence": { "request_sample": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "910350071ed6b614e3b9d3e0ebc4ac7dbbd9486e", "protocol_details": { "payload_preview": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/cgi-bin\/param.cgi HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "http_get_probe", "mozi_pattern", "net_cassandra_probe" ] }
20/06/2026 01:19:23 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated net_cassandra_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload �`!�k�R2r�w��^�F�EI4��kO��h�I s �p��xs��_��@;�>�I��n�R]�G>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �`!�k�R2r�w��^�F�EI4��kO��h�I s �p��xs��_��@;�>�I��n�R]�G>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �`!�k�R2r�w��^�F�EI4��kO��h�I s �p��xs��_��@;�>�I��n�R]�G>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 517, "payload_entropy": 4.144678944367177, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6a68dd2ceaa4aea89c41affaca7dcccdf8010026", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "service_name": "cassandra-jmx", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "77e043fbe188ad0c3e9963aebf7ab234", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003`!\ufffdk\ufffdR2r\u0014\ufffdw\ufffd\ufffd\ufffd\ufffd^\ufffd\u0013F\ufffdEI4\ufffd\ufffdkO\ufffd\ufffdh\ufffdI s\n\u0012\ufffdp\ufffd\ufffdxs\ufffd\ufffd_\ufffd\u0003\ufffd\ufffd@;\ufffd>\ufffdI\ufffd\u001f\ufffdn\ufffdR\u001c]\ufffdG\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003`!\ufffdk\ufffdR2r\u0014\ufffdw\ufffd\ufffd\ufffd\ufffd^\ufffd\u0013F\ufffdEI4\ufffd\ufffdkO\ufffd\ufffdh\ufffdI s\n\u0012\ufffdp\ufffd\ufffdxs\ufffd\ufffd_\ufffd\u0003\ufffd\ufffd@;\ufffd>\ufffdI\ufffd\u001f\ufffdn\ufffdR\u001c]\ufffdG\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003`!\ufffdk\ufffdR2r\u0014\ufffdw\ufffd\ufffd\ufffd\ufffd^\ufffd\u0013F\ufffdEI4\ufffd\ufffdkO\ufffd\ufffdh\ufffdI s\n\u0012\ufffdp\ufffd\ufffdxs\ufffd\ufffd_\ufffd\u0003\ufffd\ufffd@;\ufffd>\ufffdI\ufffd\u001f\ufffdn\ufffdR\u001c]\ufffdG\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "239a09fb5fcabfaa2369dea19b96eb5a597adb73", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003`!\ufffdk\ufffdR2r\u0014\ufffdw\ufffd\ufffd\ufffd\ufffd^\ufffd\u0013F\ufffdEI4\ufffd\ufffdkO\ufffd\ufffdh\ufffdI s\n\u0012\ufffdp\ufffd\ufffdxs\ufffd\ufffd_\ufffd\u0003\ufffd\ufffd@;\ufffd>\ufffdI\ufffd\u001f\ufffdn\ufffdR\u001c]\ufffdG\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "\ufffd`!\ufffdk\ufffdR2r\ufffdw\ufffd\ufffd\ufffd\ufffd^\ufffdF\ufffdEI4\ufffd\ufffdkO\ufffd\ufffdh\ufffdI s\n\ufffdp\ufffd\ufffdxs\ufffd\ufffd_\ufffd\ufffd\ufffd@;\ufffd>\ufffdI\ufffd\ufffdn\ufffdR]\ufffdG>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003`!\ufffdk\ufffdR2r\u0014\ufffdw\ufffd\ufffd\ufffd\ufffd^\ufffd\u0013F\ufffdEI4\ufffd\ufffdkO\ufffd\ufffdh\ufffdI s\n\u0012\ufffdp\ufffd\ufffdxs\ufffd\ufffd_\ufffd\u0003\ufffd\ufffd@;\ufffd>\ufffdI\ufffd\u001f\ufffdn\ufffdR\u001c]\ufffdG\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd`!\ufffdk\ufffdR2r\ufffdw\ufffd\ufffd\ufffd\ufffd^\ufffdF\ufffdEI4\ufffd\ufffdkO\ufffd\ufffdh\ufffdI s\n\ufffdp\ufffd\ufffdxs\ufffd\ufffd_\ufffd\ufffd\ufffd@;\ufffd>\ufffdI\ufffd\ufffdn\ufffdR]\ufffdG>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "net_cassandra_probe", "tls_clienthello" ] }
20/06/2026 01:19:23 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated http_get_probe mozi_pattern net_cassandra_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ ( Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ ( Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 239, "payload_entropy": 5.333576237112773, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9af8e61ef8693591e01ecf481399aa2f40e5f5d2", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "cassandra-jmx", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0b13b66b9dd627e363428ecaee3051ef", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 34 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "evidence": { "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c28a4c1d8cb33edfd5638f6ab07f1c6211063e64", "protocol_details": { "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "http_get_probe", "mozi_pattern", "net_cassandra_probe" ] }
20/06/2026 01:19:23 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	cassandra probe cassandra probe · via CASSANDRA JMX:7000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Surveiller Tags cassandra_emulated net_cassandra_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload �ʀ_Ag%zHg[��_��?!�Z�_��D c�9��d�I�jC}�Z�6�(b��!�B>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �ʀ_Ag%zHg[��_��?!�Z�_��D c�9��d�I�jC}�Z�6�(b��!�B>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �ʀ_Ag%zHg[��_��?!�Z�_��D c�9��d�I�jC}�Z�6�(b��!�B>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 517, "payload_entropy": 4.123016100425703, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 41557, "country": "MK", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6a68dd2ceaa4aea89c41affaca7dcccdf8010026", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "service_name": "cassandra-jmx", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fa971d943ff81c1c73f1017f435a0940", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0280_\u0013Ag%zHg[\ufffd\u0001\ufffd\ufffd\ufffd_\u0004\ufffd\ufffd\ufffd?!\ufffdZ\ufffd_\u000e\ufffd\ufffdD\u001d c\ufffd9\ufffd\ufffd\ufffdd\ufffdI\u001a\ufffdjC}\ufffdZ\ufffd6\ufffd(b\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\ufffd!\ufffdB\u001f\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0280_\u0013Ag%zHg[\ufffd\u0001\ufffd\ufffd\ufffd_\u0004\ufffd\ufffd\ufffd?!\ufffdZ\ufffd_\u000e\ufffd\ufffdD\u001d c\ufffd9\ufffd\ufffd\ufffdd\ufffdI\u001a\ufffdjC}\ufffdZ\ufffd6\ufffd(b\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\ufffd!\ufffdB\u001f\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0280_\u0013Ag%zHg[\ufffd\u0001\ufffd\ufffd\ufffd_\u0004\ufffd\ufffd\ufffd?!\ufffdZ\ufffd_\u000e\ufffd\ufffdD\u001d c\ufffd9\ufffd\ufffd\ufffdd\ufffdI\u001a\ufffdjC}\ufffdZ\ufffd6\ufffd(b\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\ufffd!\ufffdB\u001f\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "37ceea77071ad19c911a010ac06fb8c83546a5fc", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0280_\u0013Ag%zHg[\ufffd\u0001\ufffd\ufffd\ufffd_\u0004\ufffd\ufffd\ufffd?!\ufffdZ\ufffd_\u000e\ufffd\ufffdD\u001d c\ufffd9\ufffd\ufffd\ufffdd\ufffdI\u001a\ufffdjC}\ufffdZ\ufffd6\ufffd(b\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\ufffd!\ufffdB\u001f\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "\ufffd\u0280_Ag%zHg[\ufffd\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd?!\ufffdZ\ufffd_\ufffd\ufffdD c\ufffd9\ufffd\ufffd\ufffdd\ufffdI\ufffdjC}\ufffdZ\ufffd6\ufffd(b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!\ufffdB>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0280_\u0013Ag%zHg[\ufffd\u0001\ufffd\ufffd\ufffd_\u0004\ufffd\ufffd\ufffd?!\ufffdZ\ufffd_\u000e\ufffd\ufffdD\u001d c\ufffd9\ufffd\ufffd\ufffdd\ufffdI\u001a\ufffdjC}\ufffdZ\ufffd6\ufffd(b\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\ufffd!\ufffdB\u001f\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\u0280_Ag%zHg[\ufffd\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd?!\ufffdZ\ufffd_\ufffd\ufffdD c\ufffd9\ufffd\ufffd\ufffdd\ufffdI\ufffdjC}\ufffdZ\ufffd6\ufffd(b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!\ufffdB>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "net_cassandra_probe", "tls_clienthello" ] }
18/06/2026 17:10:57 UTC	TCP	5554 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5554 · (tentative d'exploit) · → /skin/default_1/images/logo.png	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /skin/default_1/images/logo.png UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Surveiller Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /skin/default_1/images/logo.png TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5554 Chemin / cible /skin/default_1/images/logo.png Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 48 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /skin/default_1/images/logo.png HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /skin/default_1/images/logo.png HTTP/1.1 Host: 62.3.50.33:5554 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) Requête brute (extrait) GET /skin/default_1/images/logo.png HTTP/1.1 Host: 62.3.50.33:5554 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "png", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "367229e23dd92ea4c4c91209ade49cdab116345b", "http_target_hash": "893121d0eb67a0f333f42554a8794cc9f4cb2cfc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.361344508032016, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 5554, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f533fe1889604cf1cba769d55e86629430667d9d", "event_fingerprint": "e3a0ecc795adce5a7b4c7285a87c27cef44dc1a7", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "f41f51da3db8b52dd80af2b9bc4624ac", "path_pattern_hash": "f6ee15dfe5cdca7ba24428fd11fa927c" }, "target_context": { "dst_port": 5554, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "method": "GET", "path": "\/skin\/default_1\/images\/logo.png", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "request_sample": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n", "payload_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "evidence": { "method": "GET", "path": "\/skin\/default_1\/images\/logo.png", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "request_sample": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n", "payload_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cf8374ed743f0f8f7b55d792ee8d47f13455c1de", "protocol_details": { "http_method": "GET", "http_path": "\/skin\/default_1\/images\/logo.png", "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 5554, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "attack_vector": "exploit attempt \u00b7 via HTTP:5554 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/skin\/default_1\/images\/logo.png", "target_port_label": "5554 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5554, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/skin\/default_1\/images\/logo.png", "request_line": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 5554, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5554 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/skin\/default_1\/images\/logo.png", "evidence_snippet": "GET \/skin\/default_1\/images\/logo.png HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US)", "target_port_label": "5554 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:5554", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ] }
18/06/2026 17:10:57 UTC	TCP	5554 · TLS	tls	Sonde TLS tls probe · via TLS:5554 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5554 Chemin / cible — Service TLS Payload ��'�j7��d�!��V�P�8�sZ�� R-̰�ɰ��:V�~ݛe;�� X,�V��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��'�j7��d�!��V�P�8�sZ�� R-̰�ɰ��:V�~ݛe;�� X,�V��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��'�j7��d�!��V�P�8�sZ�� R-̰�ɰ��:V�~ݛe;�� X,�V��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.136111324361623, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 5554, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f936548d6ff8fc0b73c8b41e97918db42c8f4b1b", "event_fingerprint": "0c5231f99d2195f841c0e8d459118a207f7026b3", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "558c66113728919dc49c0cc148381b4e", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 5554, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0003\ufffd'\ufffdj7\ufffd\ufffd\ufffdd\ufffd!\u0004\ufffd\ufffd\ufffd\b\u0006\ufffdV\ufffdP\ufffd\u00118\ufffdsZ\ufffd\ufffd\ufffd\ufffd \ufffdR-\u0330\ufffd\u0270\ufffd\ufffd\ufffd\ufffd\ufffd:V\ufffd~\u075be;\u001e\ufffd\ufffd\tX,\ufffdV\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0003\ufffd'\ufffdj7\ufffd\ufffd\ufffdd\ufffd!\u0004\ufffd\ufffd\ufffd\b\u0006\ufffdV\ufffdP\ufffd\u00118\ufffdsZ\ufffd\ufffd\ufffd\ufffd \ufffdR-\u0330\ufffd\u0270\ufffd\ufffd\ufffd\ufffd\ufffd:V\ufffd~\u075be;\u001e\ufffd\ufffd\tX,\ufffdV\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0003\ufffd'\ufffdj7\ufffd\ufffd\ufffdd\ufffd!\u0004\ufffd\ufffd\ufffd\b\u0006\ufffdV\ufffdP\ufffd\u00118\ufffdsZ\ufffd\ufffd\ufffd\ufffd \ufffdR-\u0330\ufffd\u0270\ufffd\ufffd\ufffd\ufffd\ufffd:V\ufffd~\u075be;\u001e\ufffd\ufffd\tX,\ufffdV\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "16534f0773fdea843e569a71be04a85ab9970da4", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0003\ufffd'\ufffdj7\ufffd\ufffd\ufffdd\ufffd!\u0004\ufffd\ufffd\ufffd\b\u0006\ufffdV\ufffdP\ufffd\u00118\ufffdsZ\ufffd\ufffd\ufffd\ufffd \ufffdR-\u0330\ufffd\u0270\ufffd\ufffd\ufffd\ufffd\ufffd:V\ufffd~\u075be;\u001e\ufffd\ufffd\tX,\ufffdV\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 5554, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd'\ufffdj7\ufffd\ufffd\ufffdd\ufffd!\ufffd\ufffd\ufffd\ufffdV\ufffdP\ufffd8\ufffdsZ\ufffd\ufffd\ufffd\ufffd \ufffdR-\u0330\ufffd\u0270\ufffd\ufffd\ufffd\ufffd\ufffd:V\ufffd~\u075be;\ufffd\ufffd\tX,\ufffdV\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:5554 \u00b7 (sonde \/ probe)", "target_port_label": "5554 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 5554, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0003\ufffd'\ufffdj7\ufffd\ufffd\ufffdd\ufffd!\u0004\ufffd\ufffd\ufffd\b\u0006\ufffdV\ufffdP\ufffd\u00118\ufffdsZ\ufffd\ufffd\ufffd\ufffd \ufffdR-\u0330\ufffd\u0270\ufffd\ufffd\ufffd\ufffd\ufffd:V\ufffd~\u075be;\u001e\ufffd\ufffd\tX,\ufffdV\ufffd\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 5554, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:5554 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd'\ufffdj7\ufffd\ufffd\ufffdd\ufffd!\ufffd\ufffd\ufffd\ufffdV\ufffdP\ufffd8\ufffdsZ\ufffd\ufffd\ufffd\ufffd \ufffdR-\u0330\ufffd\u0270\ufffd\ufffd\ufffd\ufffd\ufffd:V\ufffd~\u075be;\ufffd\ufffd\tX,\ufffdV\ufffd\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "5554 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "5554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:5554", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
18/06/2026 17:10:56 UTC	TCP	5554 · TLS	tls	Sonde TLS tls probe · via TLS:5554 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5554 Chemin / cible — Service TLS Payload ��d��RM;'�84+��LADqf�X��O� ��l+&u�O��}4V0�/n�?6>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��d��RM;'�84+��LADqf�X��O� ��l+&u�O��}4V0�/n�?6>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��d��RM;'�84+��LADqf�X��O� ��l+&u�O��}4V0�/n�?6>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.146885794828562, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 5554, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f936548d6ff8fc0b73c8b41e97918db42c8f4b1b", "event_fingerprint": "0c5231f99d2195f841c0e8d459118a207f7026b3", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "de567e21b91f043a22f3957215372086", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 5554, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdd\ufffd\ufffd\ufffd\u0018RM;'\ufffd84+\ufffd\ufffdLADqf\ufffdX\ufffd\ufffd\ufffd\ufffdO\u001b\u0010\ufffd \ufffd\ufffd\ufffd\ufffdl+&u\ufffdO\u001f\u001d\ufffd\ufffd\ufffd\u0012\u0014\ufffd\ufffd\ufffd\u0011\ufffd}4V0\ufffd\/n\ufffd?6\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdd\ufffd\ufffd\ufffd\u0018RM;'\ufffd84+\ufffd\ufffdLADqf\ufffdX\ufffd\ufffd\ufffd\ufffdO\u001b\u0010\ufffd \ufffd\ufffd\ufffd\ufffdl+&u\ufffdO\u001f\u001d\ufffd\ufffd\ufffd\u0012\u0014\ufffd\ufffd\ufffd\u0011\ufffd}4V0\ufffd\/n\ufffd?6\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdd\ufffd\ufffd\ufffd\u0018RM;'\ufffd84+\ufffd\ufffdLADqf\ufffdX\ufffd\ufffd\ufffd\ufffdO\u001b\u0010\ufffd \ufffd\ufffd\ufffd\ufffdl+&u\ufffdO\u001f\u001d\ufffd\ufffd\ufffd\u0012\u0014\ufffd\ufffd\ufffd\u0011\ufffd}4V0\ufffd\/n\ufffd?6\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f706f03fe6301a6042c40164c7184eda5ddb72f7", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdd\ufffd\ufffd\ufffd\u0018RM;'\ufffd84+\ufffd\ufffdLADqf\ufffdX\ufffd\ufffd\ufffd\ufffdO\u001b\u0010\ufffd \ufffd\ufffd\ufffd\ufffdl+&u\ufffdO\u001f\u001d\ufffd\ufffd\ufffd\u0012\u0014\ufffd\ufffd\ufffd\u0011\ufffd}4V0\ufffd\/n\ufffd?6\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 5554, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffdRM;'\ufffd84+\ufffd\ufffdLADqf\ufffdX\ufffd\ufffd\ufffd\ufffdO\ufffd \ufffd\ufffd\ufffd\ufffdl+&u\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd}4V0\ufffd\/n\ufffd?6>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:5554 \u00b7 (sonde \/ probe)", "target_port_label": "5554 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 5554, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdd\ufffd\ufffd\ufffd\u0018RM;'\ufffd84+\ufffd\ufffdLADqf\ufffdX\ufffd\ufffd\ufffd\ufffdO\u001b\u0010\ufffd \ufffd\ufffd\ufffd\ufffdl+&u\ufffdO\u001f\u001d\ufffd\ufffd\ufffd\u0012\u0014\ufffd\ufffd\ufffd\u0011\ufffd}4V0\ufffd\/n\ufffd?6\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 5554, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:5554 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffdRM;'\ufffd84+\ufffd\ufffdLADqf\ufffdX\ufffd\ufffd\ufffd\ufffdO\ufffd \ufffd\ufffd\ufffd\ufffdl+&u\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd}4V0\ufffd\/n\ufffd?6>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "5554 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "5554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:5554", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
18/06/2026 17:10:56 UTC	TCP	5554 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5554 · (tentative d'exploit) · → /image/lgbg.jpg	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /image/lgbg.jpg UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Surveiller Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /image/lgbg.jpg TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5554 Chemin / cible /image/lgbg.jpg Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 48 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /image/lgbg.jpg HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /image/lgbg.jpg HTTP/1.1 Host: 62.3.50.33:5554 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532 Requête brute (extrait) GET /image/lgbg.jpg HTTP/1.1 Host: 62.3.50.33:5554 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "jpg", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "367229e23dd92ea4c4c91209ade49cdab116345b", "http_target_hash": "2dd31a361729c174218c8a0a20c0e5c1f46a52e7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.368961394195293, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 5554, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f533fe1889604cf1cba769d55e86629430667d9d", "event_fingerprint": "0486c1c605b64789b70e47e9c4c984b03dad45a4", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "367c4137c17d9e417d8c93478c5341ca", "path_pattern_hash": "27ca7de15d9e41dae8afc854797a412b" }, "target_context": { "dst_port": 5554, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "method": "GET", "path": "\/image\/lgbg.jpg", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "request_sample": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "evidence": { "method": "GET", "path": "\/image\/lgbg.jpg", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "request_sample": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "197f2ae415f9451f44d9c8060840d0c0fe244948", "protocol_details": { "http_method": "GET", "http_path": "\/image\/lgbg.jpg", "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 5554, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "attack_vector": "exploit attempt \u00b7 via HTTP:5554 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/image\/lgbg.jpg", "target_port_label": "5554 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5554, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/image\/lgbg.jpg", "request_line": "GET \/image\/lgbg.jpg HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 5554, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5554 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/image\/lgbg.jpg", "evidence_snippet": "GET \/image\/lgbg.jpg HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "target_port_label": "5554 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:5554", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ] }
18/06/2026 17:10:56 UTC	TCP	5554 · TLS	tls	Sonde TLS tls probe · via TLS:5554 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5554 Chemin / cible — Service TLS Payload ��@��I��.�w!��.5��z�H! �먯��B��=��4h�r��icM3��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification :* Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��@��I��.�w!��.5��z�H! �먯��B��=��4h�r��icM3��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��@��I��.�w!��.5��z�H! �먯��B��=��4h�r��icM3��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.103655994935486, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 5554, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f936548d6ff8fc0b73c8b41e97918db42c8f4b1b", "event_fingerprint": "0c5231f99d2195f841c0e8d459118a207f7026b3", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "2ed9903ffe5440eb8a35b7d5cdd07443", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 5554, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffd.\ufffdw!\ufffd\ufffd.5\ufffd\u001f\ufffd\u0017\u0012\ufffd\ufffdz\ufffdH! \ufffd\uba2f\ufffd\u0001\u001e\ufffdB\ufffd\ufffd=\ufffd\ufffd4h\ufffdr\u0012\ufffd\ufffd\ufffdicM\u00013\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffd.\ufffdw!\ufffd\ufffd.5\ufffd\u001f\ufffd\u0017\u0012\ufffd\ufffdz\ufffdH! \ufffd\uba2f\ufffd\u0001\u001e\ufffdB\ufffd\ufffd=\ufffd\ufffd4h\ufffdr\u0012\ufffd\ufffd\ufffdicM\u00013\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffd.\ufffdw!\ufffd\ufffd.5\ufffd\u001f\ufffd\u0017\u0012\ufffd\ufffdz\ufffdH! \ufffd\uba2f\ufffd\u0001\u001e\ufffdB\ufffd\ufffd=\ufffd\ufffd4h\ufffdr\u0012\ufffd\ufffd\ufffdicM\u00013\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ece4816d191624e344a8074123e5d2d3ccd77b04", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffd.\ufffdw!\ufffd\ufffd.5\ufffd\u001f\ufffd\u0017\u0012\ufffd\ufffdz\ufffdH! \ufffd\uba2f\ufffd\u0001\u001e\ufffdB\ufffd\ufffd=\ufffd\ufffd4h\ufffdr\u0012\ufffd\ufffd\ufffdicM\u00013\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 5554, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffd.\ufffdw!\ufffd\ufffd.5\ufffd\ufffd\ufffd\ufffdz\ufffdH! \ufffd\uba2f\ufffd\ufffdB\ufffd\ufffd=\ufffd\ufffd4h\ufffdr\ufffd\ufffd\ufffdicM3\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:5554 \u00b7 (sonde \/ probe)", "target_port_label": "5554 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 5554, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffd.\ufffdw!\ufffd\ufffd.5\ufffd\u001f\ufffd\u0017\u0012\ufffd\ufffdz\ufffdH! \ufffd\uba2f\ufffd\u0001\u001e\ufffdB\ufffd\ufffd=\ufffd\ufffd4h\ufffdr\u0012\ufffd\ufffd\ufffdicM\u00013\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 5554, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:5554 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd@*\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffd.\ufffdw!\ufffd\ufffd.5\ufffd\ufffd\ufffd\ufffdz\ufffdH! \ufffd\uba2f\ufffd\ufffdB\ufffd\ufffd=\ufffd\ufffd4h\ufffdr\ufffd\ufffd\ufffdicM3\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "5554 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "5554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:5554", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
18/06/2026 17:10:56 UTC	TCP	5554 · HTTP	http	jenkins probe jenkins probe · via HTTP:5554 · (sonde / probe) · → /login.rsp	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET /login.rsp UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /login.rsp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5554 Chemin / cible /login.rsp Service HTTP Pourquoi cette classification : Type « jenkins_probe » (signaux protocolaires) · confiance 47% Confiance classification 55% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 47 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux Cicd Jenkins Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /login.rsp HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /login.rsp HTTP/1.1 Host: 62.3.50.33:5554 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KH Requête brute (extrait) GET /login.rsp HTTP/1.1 Host: 62.3.50.33:5554 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "rsp", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "367229e23dd92ea4c4c91209ade49cdab116345b", "http_target_hash": "577c7c6e9f07414bab1843cc24ba57c57365c8d9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.320314688078364, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 5554, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "9dd47068bd220d53adc21cc34da9b82afd1c7aa7", "event_fingerprint": "42ea9ecb5914b768b0709b64851f851f1065c2ef", "classification_reason": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 56, "precision_signals": [ "INT-cicd-jenkins" ], "kb_rule_ids": [ "INT-cicd-jenkins" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 47, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "b1625b2e6c26bd554379eb7c770d6fe4", "path_pattern_hash": "4586a3f595a38eb868be9c94ceb03915" }, "target_context": { "dst_port": 5554, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "method": "GET", "path": "\/login.rsp", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/login.rsp HTTP\/1.1", "request_sample": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "evidence": { "method": "GET", "path": "\/login.rsp", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/login.rsp HTTP\/1.1", "request_sample": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "classification_reason": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4e2b0584eda85cb81c6c0aa6a51828de89a99cf9", "protocol_details": { "http_method": "GET", "http_path": "\/login.rsp", "request_line": "GET \/login.rsp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 5554, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "attack_vector": "jenkins probe \u00b7 via HTTP:5554 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/login.rsp", "target_port_label": "5554 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "classification_reason_label_fr": "Type \u00ab jenkins_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5554, "protocol_emulated": null, "tags_summary": [ "INT-cicd-jenkins" ], "tags_summary_labels_fr": [ "Cicd Jenkins" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/login.rsp", "request_line": "GET \/login.rsp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 5554, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "jenkins probe \u00b7 via HTTP:5554 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/login.rsp", "evidence_snippet": "GET \/login.rsp HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KH", "target_port_label": "5554 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:5554", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ] }
18/06/2026 17:10:56 UTC	TCP	5554 · TLS	tls	Sonde TLS tls probe · via TLS:5554 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5554 Chemin / cible — Service TLS Payload �H��4��c�e��T D�Z��gIO�� YK��y�s�#z\|T��+��O�� >>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification :* Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �H��4��c�e��TD�Z��gIO�� YK��y�s�#z\|T��+��O�� >>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �H��4��c�e��T D�Z��gIO�� YK��y�s�#z\|T��+��O�� >>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.121401836542143, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 5554, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f936548d6ff8fc0b73c8b41e97918db42c8f4b1b", "event_fingerprint": "0c5231f99d2195f841c0e8d459118a207f7026b3", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "5e95e26dfe0d70661aed3b7ba498150d", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 5554, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003H\ufffd\ufffd4\ufffd\ufffd\u0012\ufffd\ufffdc\ufffde\ufffd\ufffdT\u000b\u0001D\ufffdZ\ufffd\ufffd\ufffdgI\u000fO\ufffd\u0011\ufffd\ufffd \ufffd\ufffdYK\ufffd\ufffd\ufffd\ufffdy\ufffds\ufffd#z\|T\ufffd\u001c\ufffd+\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd \ufffd\ufffd>\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003H\ufffd\ufffd4\ufffd\ufffd\u0012\ufffd\ufffdc\ufffde\ufffd\ufffdT\u000b\u0001D\ufffdZ\ufffd\ufffd\ufffdgI\u000fO\ufffd\u0011\ufffd\ufffd \ufffd\ufffdYK\ufffd\ufffd\ufffd\ufffdy\ufffds\ufffd#z\|T\ufffd\u001c\ufffd+\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd \ufffd\ufffd>\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003H\ufffd\ufffd4\ufffd\ufffd\u0012\ufffd\ufffdc\ufffde\ufffd\ufffdT\u000b\u0001D\ufffdZ\ufffd\ufffd\ufffdgI\u000fO\ufffd\u0011\ufffd\ufffd \ufffd\ufffdYK\ufffd\ufffd\ufffd\ufffdy\ufffds\ufffd#z\|T\ufffd\u001c\ufffd+\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd \ufffd\ufffd>\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "22ab43bc5fd46b904dd7adfe17c74688c0c8d39b", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003H\ufffd\ufffd4\ufffd\ufffd\u0012\ufffd\ufffdc\ufffde\ufffd\ufffdT\u000b\u0001D\ufffdZ\ufffd\ufffd\ufffdgI\u000fO\ufffd\u0011\ufffd\ufffd \ufffd\ufffdYK\ufffd\ufffd\ufffd\ufffdy\ufffds\ufffd#z\|T\ufffd\u001c\ufffd+\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd \ufffd\ufffd>\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 5554, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffdH\ufffd\ufffd4\ufffd\ufffd\ufffd\ufffdc\ufffde\ufffd\ufffdTD\ufffdZ\ufffd\ufffd\ufffdgIO\ufffd\ufffd\ufffd \ufffd\ufffdYK\ufffd\ufffd\ufffd\ufffdy\ufffds\ufffd#z\|T\ufffd\ufffd+\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd \ufffd\ufffd>>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:5554 \u00b7 (sonde \/ probe)", "target_port_label": "5554 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 5554, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003H\ufffd\ufffd4\ufffd\ufffd\u0012\ufffd\ufffdc\ufffde\ufffd\ufffdT\u000b\u0001D\ufffdZ\ufffd\ufffd\ufffdgI\u000fO\ufffd\u0011\ufffd\ufffd \ufffd\ufffdYK\ufffd\ufffd\ufffd\ufffdy\ufffds\ufffd#z\|T\ufffd\u001c\ufffd+\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd \ufffd\ufffd>\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 5554, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:5554 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdH\ufffd\ufffd4\ufffd\ufffd\ufffd\ufffdc\ufffde\ufffd\ufffdTD\ufffdZ\ufffd\ufffd\ufffdgIO*\ufffd\ufffd\ufffd \ufffd\ufffdYK\ufffd\ufffd\ufffd\ufffdy\ufffds\ufffd#z\|T\ufffd\ufffd+\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd \ufffd\ufffd>>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "5554 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "5554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:5554", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
18/06/2026 17:10:56 UTC	TCP	5554 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5554 · (tentative d'exploit) · → /nobody/favicon.ico	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /nobody/favicon.ico UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Surveiller Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /nobody/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5554 Chemin / cible /nobody/favicon.ico Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 48 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /nobody/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /nobody/favicon.ico HTTP/1.1 Host: 62.3.50.33:5554 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit Requête brute (extrait) GET /nobody/favicon.ico HTTP/1.1 Host: 62.3.50.33:5554 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532+ (KHTML, like Gecko) Version/4.0.2 Safari/530.19.1 Accept-Encoding: identity Accept: / Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "f882e5a1afbaa00efa3baa188963224bc2075195", "http_host_hash": "367229e23dd92ea4c4c91209ade49cdab116345b", "http_target_hash": "99031f973e05a5223d32a653b4d8545b046e986a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.329058457840001, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "http", "app_proto": "http", "asn": 41557, "country": "MK", "dst_port": 5554, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f533fe1889604cf1cba769d55e86629430667d9d", "event_fingerprint": "ce20997c0a98ba331995883a26fbfa40f7fc9ed1", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea950a024d76f48edde533b16b13f9c2", "payload_hash": "47cc1c5dca6900472e874e0c2c42089a", "path_pattern_hash": "aed6526709a8e7eda329386724bafe99" }, "target_context": { "dst_port": 5554, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "method": "GET", "path": "\/nobody\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "request_sample": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "evidence": { "method": "GET", "path": "\/nobody\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "request_sample": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1\r\nAccept-Encoding: identity\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e44ee2a1e257c3be1e91c0a24baf7ffad01d5983", "protocol_details": { "http_method": "GET", "http_path": "\/nobody\/favicon.ico", "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 5554, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "attack_vector": "exploit attempt \u00b7 via HTTP:5554 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nobody\/favicon.ico", "target_port_label": "5554 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5554, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/nobody\/favicon.ico", "request_line": "GET \/nobody\/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532+ (KHTML, like Gecko) Version\/4.0.2 Safari\/530.19.1", "port": 5554, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5554 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nobody\/favicon.ico", "evidence_snippet": "GET \/nobody\/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5554\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit", "target_port_label": "5554 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:5554", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ] }
18/06/2026 17:10:56 UTC	TCP	5554 · TLS	tls	Sonde TLS tls probe · via TLS:5554 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 78f0dc5ac5b19daf Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5554 Chemin / cible — Service TLS Payload �i�)tS�`)(�u��S\� ��9=�� 5ZD}nS�V�`�}�I��CW^!��J�:r�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �i�)tS�`)(�u��S\��9=�� 5ZD}nS�V�`�}�I��CW^!��J�:r�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �i�)tS�`)(�u��S\� ��9=�� 5ZD}nS�V�`�}�I��CW^!��J�:r�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u http/1.11 ( + Meta JSON brut { "tls_ja3_hash": "78f0dc5ac5b19daf131a133cfdee9691", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "tls_alpn": [ "http\/1.1" ], "bytes_in": 517, "payload_entropy": 4.140537347904984, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": "tls", "app_proto": "tls", "asn": 41557, "country": "MK", "dst_port": 5554, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f936548d6ff8fc0b73c8b41e97918db42c8f4b1b", "event_fingerprint": "0c5231f99d2195f841c0e8d459118a207f7026b3", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "78f0dc5ac5b19daf131a133cfdee9691", "payload_hash": "eaeeca8206a11645c0c1213938910567", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 5554, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003i\ufffd)tS\u000f\ufffd`\u000e)(\u0007\ufffdu\u0015\ufffd\ufffd\ufffd\ufffd\ufffdS\\\ufffd\u000b\ufffd\ufffd9=\ufffd\ufffd\ufffd \u001c5ZD}n\u000eS\ufffdV\ufffd`\ufffd}\ufffdI\ufffd\ufffdCW^!\u0011\ufffd\ufffdJ\ufffd:\u000fr\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003i\ufffd)tS\u000f\ufffd`\u000e)(\u0007\ufffdu\u0015\ufffd\ufffd\ufffd\ufffd\ufffdS\\\ufffd\u000b\ufffd\ufffd9=\ufffd\ufffd\ufffd \u001c5ZD}n\u000eS\ufffdV\ufffd`\ufffd}\ufffdI\ufffd\ufffdCW^!\u0011\ufffd\ufffdJ\ufffd:\u000fr\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003i\ufffd)tS\u000f\ufffd`\u000e)(\u0007\ufffdu\u0015\ufffd\ufffd\ufffd\ufffd\ufffdS\\\ufffd\u000b\ufffd\ufffd9=\ufffd\ufffd\ufffd \u001c5ZD}n\u000eS\ufffdV\ufffd`\ufffd}\ufffdI\ufffd\ufffdCW^!\u0011\ufffd\ufffdJ\ufffd:\u000fr\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d1ebaf1c94f6a91292e52547716b135a2a00ec22", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003i\ufffd)tS\u000f\ufffd`\u000e)(\u0007\ufffdu\u0015\ufffd\ufffd\ufffd\ufffd\ufffdS\\\ufffd\u000b\ufffd\ufffd9=\ufffd\ufffd\ufffd \u001c5ZD}n\u000eS\ufffdV\ufffd`\ufffd}\ufffdI\ufffd\ufffdCW^!\u0011\ufffd\ufffdJ\ufffd:\u000fr\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 5554, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffdi\ufffd)tS\ufffd`)(\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffdS\\\ufffd\ufffd\ufffd9=\ufffd\ufffd\ufffd 5ZD}nS\ufffdV\ufffd`\ufffd}\ufffdI\ufffd\ufffdCW^!\ufffd\ufffdJ\ufffd:r\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:5554 \u00b7 (sonde \/ probe)", "target_port_label": "5554 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 5554, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003i\ufffd)tS\u000f\ufffd`\u000e)(\u0007\ufffdu\u0015\ufffd\ufffd\ufffd\ufffd\ufffdS\\\ufffd\u000b\ufffd\ufffd9=\ufffd\ufffd\ufffd \u001c5ZD}n\u000eS\ufffdV\ufffd`\ufffd}\ufffdI\ufffd\ufffdCW^!\u0011\ufffd\ufffdJ\ufffd:\u000fr\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "78f0dc5ac5b19daf131a133cfdee9691", "port": 5554, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:5554 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdi\ufffd)tS\ufffd`)(\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffdS\\\ufffd\ufffd\ufffd9=\ufffd\ufffd\ufffd 5ZD}nS\ufffdV\ufffd`\ufffd}\ufffdI\ufffd\ufffdCW^!\ufffd\ufffdJ\ufffd:r\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "5554 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "5554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:5554", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
18/06/2026 17:10:55 UTC	TCP	5554	—	Sonde port Sonde port · port 5554 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5554 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "service": null, "app_proto": null, "asn": 41557, "country": "MK", "dst_port": 5554, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.8, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "5d4a3c2e5bce468bbc11da86ac1e7ae060b50ed0", "event_fingerprint": "980cd2eb1bffbb71425a8ba0e4c227343f3e7703", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "MK", "asn": 41557, "org": "Drustvo za telekomunikaciski uslugi TELEKABEL DOOEL Stip", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 5554, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "226f6f880d04bfc973ff21482f8378ab44637de5", "protocol_details": { "port": 5554 }, "attack_vector": "Sonde port \u00b7 port 5554 \u00b7 (sonde \/ probe)", "target_port_label": "5554", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 5554, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 5554 }, "attack_vector": "Sonde port \u00b7 port 5554 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "5554", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "5554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }

89.205.21.201

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence