{"ip":"93.123.118.31","exported_at":"2026-07-18T02:02:58+00:00","period_days":1,"metrics":{"events7d":331,"distinct_ports":1,"distinct_classifications":3,"max_severity":7,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":46,"attack_stage":"exploit_attempt","attack_chain_stage":"reconnaissance","threat_family":["ddos"],"recommended_action":"monitor","confidence":0.59,"risk_breakdown":{"waf":8,"classification":80,"behavior":0,"geo":0,"protocol":30,"novelty":15},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"TA0001","top_mitre_technique":"TA0001","top_mitre_count":217,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)","campaign_hint_fr":"Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)","confidence_breakdown":{"waf":8,"classification":80,"behavior":0,"geo":0,"protocol":30,"novelty":15,"risk_score":46,"correlation_boost":10},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["scan_coordonn\u00e9"],"correlation_flags_labels_fr":["Scan coordonn\u00e9"],"confidence_pct":59,"confidence_hint_fr":"Corr\u00e9lation +10","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0418"],"tags_summary":["pat-0418"],"attack_vector":"http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)","protocol_details":{"payload_preview":"CONNECT 51.195.40.238:80 HTTP\/1.1\r\nHost: we-love-the.world","port":1080,"service":"socks5","service_label_fr":"SOCKS5"},"protocol_summary_fr":"Payload CONNECT 51.195.40.238:80 HTTP\/1.1\r\nHost: we-love-the.world \u00b7 SOCKS5:1080","evidence_snippet":"CONNECT 51.195.40.238:80 HTTP\/1.1\r\nHost: we-love-the.world","target_port_label":"1080 \u00b7 SOCKS5","emulator_service":"socks5","confidence_reason":"Confiance 49 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%","classification_reason_label_fr":"Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%","confidence_factors_fr":"Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10","payload_preview":"CONNECT 51.195.40.238:80 HTTP\/1.1\r\nHost: we-love-the.world"},"events":[{"id":12709579,"ip":"93.123.118.31","ts":"2026-07-18 01:47:39.000000","proto":"tcp","src_port":40472,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 62, \u0022payload_entropy\u0022: 4.822922673493043, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b869f934f5a2769a626751f1e2ef38d3\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002272610a648370d8d3e3df69d5aaa55216938b98f2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 16, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":62},{"id":12709575,"ip":"93.123.118.31","ts":"2026-07-18 01:47:37.000000","proto":"tcp","src_port":40406,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 62, \u0022payload_entropy\u0022: 4.734055334713576, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227010fdad0a7612b6fd7c8f9e4878ca5b\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f827346ae2af9c122b1f5f0c8b413b4573c959b6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 15, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":62},{"id":12709563,"ip":"93.123.118.31","ts":"2026-07-18 01:47:31.000000","proto":"tcp","src_port":40256,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 62, \u0022payload_entropy\u0022: 4.734055334713576, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227010fdad0a7612b6fd7c8f9e4878ca5b\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f827346ae2af9c122b1f5f0c8b413b4573c959b6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 16, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":62},{"id":12709561,"ip":"93.123.118.31","ts":"2026-07-18 01:47:28.000000","proto":"tcp","src_port":36494,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 66, \u0022payload_entropy\u0022: 4.564867748271415, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226a2ee3d88dc3b8819168dd881bf5ab00\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b86392f44acb421cfc751d3f47c0228cc06edfbb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 16, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":66},{"id":12709557,"ip":"93.123.118.31","ts":"2026-07-18 01:47:22.000000","proto":"tcp","src_port":36418,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 66, \u0022payload_entropy\u0022: 4.564867748271415, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226a2ee3d88dc3b8819168dd881bf5ab00\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b86392f44acb421cfc751d3f47c0228cc06edfbb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 16, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":66},{"id":12709047,"ip":"93.123.118.31","ts":"2026-07-18 01:40:24.000000","proto":"tcp","src_port":49074,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.6, \u0022confidence\u0022: 0.6, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002256f33152f85e8df0a94aa2a6697b4aeb\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022397ffa76ba0a711218f59f76c740a9e996e2cbfc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022P3\ufffd(\ufffd\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 60, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022P3\ufffd(\ufffd\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 60 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12709042,"ip":"93.123.118.31","ts":"2026-07-18 01:40:20.000000","proto":"tcp","src_port":49022,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.6, \u0022confidence\u0022: 0.6, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222df390166234c2aac824138f8b2e501c\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000P3\u078c2\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0000P3\u078c2\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0000P3\u078c2\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0000P3\u078c2\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0000P3\u078c2\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223371e8c379216c831c2e7b5f50ee78f36920ca03\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000P3\u078c2\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022P3\u078c2\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 60, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000P3\u078c2\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022P3\u078c2\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 60 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12709038,"ip":"93.123.118.31","ts":"2026-07-18 01:40:18.000000","proto":"tcp","src_port":55100,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.6, \u0022confidence\u0022: 0.6, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002256f33152f85e8df0a94aa2a6697b4aeb\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022397ffa76ba0a711218f59f76c740a9e996e2cbfc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022P3\ufffd(\ufffd\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 60, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022P3\ufffd(\ufffd\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 60 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12708637,"ip":"93.123.118.31","ts":"2026-07-18 01:35:22.000000","proto":"tcp","src_port":58762,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 63, \u0022payload_entropy\u0022: 4.744760233154764, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002258759936be390431371c0167a17d69af\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022733dd8db066d82bf387b496bd25a0c086286f8e0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":63},{"id":12708635,"ip":"93.123.118.31","ts":"2026-07-18 01:35:20.000000","proto":"tcp","src_port":58698,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 63, \u0022payload_entropy\u0022: 4.8202346379510095, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a17d1dd8bc29ec51040ed0dda8622d57\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022339b11050edd15434144282c6f4536e9341f0ec3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":63},{"id":12708630,"ip":"93.123.118.31","ts":"2026-07-18 01:35:16.000000","proto":"tcp","src_port":47848,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 63, \u0022payload_entropy\u0022: 4.744760233154764, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002258759936be390431371c0167a17d69af\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022733dd8db066d82bf387b496bd25a0c086286f8e0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":63},{"id":12708626,"ip":"93.123.118.31","ts":"2026-07-18 01:35:13.000000","proto":"tcp","src_port":47754,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 67, \u0022payload_entropy\u0022: 4.57879455625263, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223fdc7c20e114ad1340e061e8ec176d50\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229f257e0e1d7f96ea51719a4f64026c7d5bab4028\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":67},{"id":12708557,"ip":"93.123.118.31","ts":"2026-07-18 01:35:07.000000","proto":"tcp","src_port":50602,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 67, \u0022payload_entropy\u0022: 4.57879455625263, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223fdc7c20e114ad1340e061e8ec176d50\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229f257e0e1d7f96ea51719a4f64026c7d5bab4028\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 8, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":67},{"id":12707663,"ip":"93.123.118.31","ts":"2026-07-18 01:22:48.000000","proto":"tcp","src_port":41598,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 63, \u0022payload_entropy\u0022: 4.845784486751593, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022005ab9fc076c7e898310c34306b5493e\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aad4c6b465f7b3ac35071700bc30b846211e4c16\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 6, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":63},{"id":12707662,"ip":"93.123.118.31","ts":"2026-07-18 01:22:46.000000","proto":"tcp","src_port":41556,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 63, \u0022payload_entropy\u0022: 4.7068180184632835, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ab483faf8fad9c4a44b7066cda2dbb38\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022593edc8a9a8cc2750d53d8414602433a13c4d14e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":63},{"id":12707652,"ip":"93.123.118.31","ts":"2026-07-18 01:22:42.000000","proto":"tcp","src_port":41448,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 63, \u0022payload_entropy\u0022: 4.845784486751593, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022005ab9fc076c7e898310c34306b5493e\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aad4c6b465f7b3ac35071700bc30b846211e4c16\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 5, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":63},{"id":12707649,"ip":"93.123.118.31","ts":"2026-07-18 01:22:40.000000","proto":"tcp","src_port":41426,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 63, \u0022payload_entropy\u0022: 4.7068180184632835, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ab483faf8fad9c4a44b7066cda2dbb38\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022593edc8a9a8cc2750d53d8414602433a13c4d14e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 5, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":63},{"id":12707647,"ip":"93.123.118.31","ts":"2026-07-18 01:22:38.000000","proto":"tcp","src_port":45764,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 68, \u0022payload_entropy\u0022: 4.603729709050619, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b46e85c2efda6d6a8325211b76e03dd9\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002206cd9195b625b9a87ae1520fb9349262f58019ff\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 5, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":68},{"id":12707643,"ip":"93.123.118.31","ts":"2026-07-18 01:22:32.000000","proto":"tcp","src_port":45646,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 68, \u0022payload_entropy\u0022: 4.603729709050619, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b46e85c2efda6d6a8325211b76e03dd9\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002206cd9195b625b9a87ae1520fb9349262f58019ff\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 6, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022], \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":68},{"id":12707317,"ip":"93.123.118.31","ts":"2026-07-18 01:15:59.000000","proto":"tcp","src_port":53020,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.49459024267674, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225787c4e51b983f4255d276e629ba691c\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_862e1c5e46e0dcf3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_862e1c5e46e0dcf3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_862e1c5e46e0dcf3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_862e1c5e46e0dcf3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_862e1c5e46e0dcf3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022de6984922f44acb0b782e1cdc98a010f7e23a0d9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_862e1c5e46e0dcf3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_862e1c5e46e0dcf3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_862e1c5e46e0dcf3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_862e1c5e46e0dcf3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12707313,"ip":"93.123.118.31","ts":"2026-07-18 01:15:57.000000","proto":"tcp","src_port":52952,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.507102448518049, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b6e1644767eb200d93a1841f9ae28eaf\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_d74490aac02cb28c HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_d74490aac02cb28c HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_d74490aac02cb28c HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_d74490aac02cb28c HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_d74490aac02cb28c HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229a306281fb323fb80694634fe5baf4e60b880bf8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_d74490aac02cb28c HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_d74490aac02cb28c HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_d74490aac02cb28c HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_d74490aac02cb28c HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12707308,"ip":"93.123.118.31","ts":"2026-07-18 01:15:55.000000","proto":"tcp","src_port":52924,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.494599489005132, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad0a84a61b1781af8218948be26c4749\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_0010574056b15080 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_0010574056b15080 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_0010574056b15080 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_0010574056b15080 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_0010574056b15080 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222f77e7fe0328f2280057c9285ecd8e77e72adcb1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_0010574056b15080 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_0010574056b15080 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_0010574056b15080 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_0010574056b15080 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12707304,"ip":"93.123.118.31","ts":"2026-07-18 01:15:53.000000","proto":"tcp","src_port":52872,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.512281259248388, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225de8d9cc29564a086813ff824c90c2ca\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_87cc8f652c72ccbc HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_87cc8f652c72ccbc HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_87cc8f652c72ccbc HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_87cc8f652c72ccbc HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_87cc8f652c72ccbc HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002286dcb392cf74354c4b02626be3f1f66301191012\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_87cc8f652c72ccbc HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_87cc8f652c72ccbc HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_87cc8f652c72ccbc HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_87cc8f652c72ccbc HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12707299,"ip":"93.123.118.31","ts":"2026-07-18 01:15:51.000000","proto":"tcp","src_port":52800,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.521491988036421, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220e7785e0c261421de638b242a5de55bd\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_954ddbbb50929a97 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_954ddbbb50929a97 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_954ddbbb50929a97 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_954ddbbb50929a97 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_954ddbbb50929a97 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e7e3ea31dd57d21af39c8ba2d956c4fc12d3e0b9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_954ddbbb50929a97 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_954ddbbb50929a97 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_954ddbbb50929a97 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_954ddbbb50929a97 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12707300,"ip":"93.123.118.31","ts":"2026-07-18 01:15:51.000000","proto":"tcp","src_port":52808,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.510063772407615, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a2ba98c6429eff0dbe1e970d543f1bc2\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_6398f96d8a3e2b0e HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_6398f96d8a3e2b0e HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_6398f96d8a3e2b0e HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_6398f96d8a3e2b0e HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_6398f96d8a3e2b0e HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0bb52a639f75ca8402ef019b2ff81bf0450623d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_6398f96d8a3e2b0e HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_6398f96d8a3e2b0e HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_6398f96d8a3e2b0e HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_6398f96d8a3e2b0e HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12707295,"ip":"93.123.118.31","ts":"2026-07-18 01:15:49.000000","proto":"tcp","src_port":44514,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.504660089726123, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002229351270f437e335e2c038e687260d18\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_ddddac57974b5e9b HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_ddddac57974b5e9b HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_ddddac57974b5e9b HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_ddddac57974b5e9b HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_ddddac57974b5e9b HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bf201a3d408903cb9c79ae0ff7cc7d67e91258dc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_ddddac57974b5e9b HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_ddddac57974b5e9b HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_ddddac57974b5e9b HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_ddddac57974b5e9b HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12707292,"ip":"93.123.118.31","ts":"2026-07-18 01:15:47.000000","proto":"tcp","src_port":44440,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.527064873841295, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b0c10ddd4c3e4b51a097db18ebe60948\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_02b9a3d825576840 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_02b9a3d825576840 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_02b9a3d825576840 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_02b9a3d825576840 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_02b9a3d825576840 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002279fe3ee1490612c73a7916e21c42851676ed6f89\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_02b9a3d825576840 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_02b9a3d825576840 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_02b9a3d825576840 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_02b9a3d825576840 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12707290,"ip":"93.123.118.31","ts":"2026-07-18 01:15:45.000000","proto":"tcp","src_port":44402,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.515054844851686, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002266c5cf5eb3133b635b37ee756d591750\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_2468abdca05b9870 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_2468abdca05b9870 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_2468abdca05b9870 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_2468abdca05b9870 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_2468abdca05b9870 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221b0179ff4a16f073542b8508325ad335cc148ad3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_2468abdca05b9870 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_2468abdca05b9870 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_2468abdca05b9870 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_2468abdca05b9870 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12707286,"ip":"93.123.118.31","ts":"2026-07-18 01:15:43.000000","proto":"tcp","src_port":44378,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.473528498190917, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f56d5226c5e00aed6b3bb64e1e1bd48c\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_416e4affa56e00ac HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_416e4affa56e00ac HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_416e4affa56e00ac HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_416e4affa56e00ac HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_416e4affa56e00ac HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226f4ca2bb1f9d68164e6e3e6e7cba042c147f5464\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_416e4affa56e00ac HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_416e4affa56e00ac HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_416e4affa56e00ac HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_416e4affa56e00ac HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022], \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12707183,"ip":"93.123.118.31","ts":"2026-07-18 01:13:29.000000","proto":"tcp","src_port":37248,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022271d05a6cd2323b9ac63bce8f3ac33332ef07649\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d80e8fd6254a8b4da743f53b12e94ed91fca06d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":12707181,"ip":"93.123.118.31","ts":"2026-07-18 01:13:24.000000","proto":"tcp","src_port":37172,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022271d05a6cd2323b9ac63bce8f3ac33332ef07649\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d80e8fd6254a8b4da743f53b12e94ed91fca06d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":12707178,"ip":"93.123.118.31","ts":"2026-07-18 01:13:18.000000","proto":"tcp","src_port":56510,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022271d05a6cd2323b9ac63bce8f3ac33332ef07649\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d80e8fd6254a8b4da743f53b12e94ed91fca06d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":12707173,"ip":"93.123.118.31","ts":"2026-07-18 01:13:12.000000","proto":"tcp","src_port":56312,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022271d05a6cd2323b9ac63bce8f3ac33332ef07649\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d80e8fd6254a8b4da743f53b12e94ed91fca06d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":12706087,"ip":"93.123.118.31","ts":"2026-07-18 00:55:05.000000","proto":"tcp","src_port":60330,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fa7aa61033535afa526dd888eb4db7dc\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220dc89c1c81003537abba78ad789d4fa8af9a70ba\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd3\u078c2\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd3\u078c2\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 5, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12706086,"ip":"93.123.118.31","ts":"2026-07-18 00:55:03.000000","proto":"tcp","src_port":60292,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ea9fdabe5c0655ede7326703b196bd27\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aa9543447a931ab2dc79f0913f2846c67fac90d3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd3\ufffd(\ufffd\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd3\ufffd(\ufffd\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 5, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12706084,"ip":"93.123.118.31","ts":"2026-07-18 00:54:58.000000","proto":"tcp","src_port":56272,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ea9fdabe5c0655ede7326703b196bd27\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aa9543447a931ab2dc79f0913f2846c67fac90d3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd3\ufffd(\ufffd\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd3\ufffd(\ufffd\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 4, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12706083,"ip":"93.123.118.31","ts":"2026-07-18 00:54:56.000000","proto":"tcp","src_port":56236,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fa7aa61033535afa526dd888eb4db7dc\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220dc89c1c81003537abba78ad789d4fa8af9a70ba\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd3\u078c2\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd3\u078c2\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 4, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12706016,"ip":"93.123.118.31","ts":"2026-07-18 00:52:51.000000","proto":"tcp","src_port":58062,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 111, \u0022payload_entropy\u0022: 4.840882624082943, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022479e33fbd248488e5164e0596a17924e\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002271b633943fe9a4eade9b97d317c7bb90afaea591\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":111},{"id":12706012,"ip":"93.123.118.31","ts":"2026-07-18 00:52:46.000000","proto":"tcp","src_port":43450,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 111, \u0022payload_entropy\u0022: 4.840882624082943, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022479e33fbd248488e5164e0596a17924e\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002271b633943fe9a4eade9b97d317c7bb90afaea591\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT cdn.we-love-the.world:7000 HTTP\/1.1\\r\\nHost: cdn.we-love-the.world:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":111},{"id":12705206,"ip":"93.123.118.31","ts":"2026-07-18 00:38:30.000000","proto":"tcp","src_port":38266,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.519145026260188, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fa80d97ac927227172993e35e75d797f\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_e273b9073ac32fa0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_e273b9073ac32fa0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_e273b9073ac32fa0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_e273b9073ac32fa0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_e273b9073ac32fa0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228b16cc98cf6971ebf566c6af342464a1425693af\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_e273b9073ac32fa0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_e273b9073ac32fa0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_e273b9073ac32fa0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_e273b9073ac32fa0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12705203,"ip":"93.123.118.31","ts":"2026-07-18 00:38:28.000000","proto":"tcp","src_port":51088,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.532230398567768, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002273a13074e59508f59aa98eaa4c5aaf9b\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_4b3e187345f04213 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_4b3e187345f04213 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_4b3e187345f04213 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_4b3e187345f04213 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_4b3e187345f04213 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c0a85936c988abc952505e51366c421317dcf65e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_4b3e187345f04213 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_4b3e187345f04213 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_4b3e187345f04213 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_4b3e187345f04213 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12705201,"ip":"93.123.118.31","ts":"2026-07-18 00:38:26.000000","proto":"tcp","src_port":51038,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.541393557975913, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221f191b83e75598cdd9b611b8cafc5257\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_5fb63d92e8b6b458 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_5fb63d92e8b6b458 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_5fb63d92e8b6b458 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_5fb63d92e8b6b458 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_5fb63d92e8b6b458 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002240a68bc32615be8d8c086d07fbe92e52a504b8fe\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_5fb63d92e8b6b458 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_5fb63d92e8b6b458 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_5fb63d92e8b6b458 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_5fb63d92e8b6b458 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12705200,"ip":"93.123.118.31","ts":"2026-07-18 00:38:24.000000","proto":"tcp","src_port":50968,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.546566303083646, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f4dffff3c2b079682b6dbe8a3c2f2698\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_dcdf80057724221b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_dcdf80057724221b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_dcdf80057724221b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_dcdf80057724221b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_dcdf80057724221b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227d408e997e3898c1363302257b6423243ccb8b6b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_dcdf80057724221b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_dcdf80057724221b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_dcdf80057724221b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_dcdf80057724221b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12705194,"ip":"93.123.118.31","ts":"2026-07-18 00:38:22.000000","proto":"tcp","src_port":50922,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.516940712927646, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c50cd0a285429c3d72f9812d761a2621\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_9cc444668b6fe0d0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_9cc444668b6fe0d0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_9cc444668b6fe0d0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_9cc444668b6fe0d0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_9cc444668b6fe0d0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226fb295f96636a26411efa85caa9c61cd5590cb96\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_9cc444668b6fe0d0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_9cc444668b6fe0d0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_9cc444668b6fe0d0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_9cc444668b6fe0d0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12705195,"ip":"93.123.118.31","ts":"2026-07-18 00:38:22.000000","proto":"tcp","src_port":50932,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.507880101348115, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a2262a02d054271aa8f112eb9cbc7400\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_6621e18c8aa460e1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_6621e18c8aa460e1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_6621e18c8aa460e1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_6621e18c8aa460e1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_6621e18c8aa460e1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002219381ba9ecbe6b4ed6bc0893f7f80057025e73f0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_6621e18c8aa460e1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_6621e18c8aa460e1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_6621e18c8aa460e1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_6621e18c8aa460e1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12705191,"ip":"93.123.118.31","ts":"2026-07-18 00:38:20.000000","proto":"tcp","src_port":50890,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.514330980535371, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221b0c3337e184b5aa684475ceae817c14\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_2e957350c2cea99a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_2e957350c2cea99a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_2e957350c2cea99a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_2e957350c2cea99a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_2e957350c2cea99a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223feb8bf8712c8647a16e36c5e799f1128951c764\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_2e957350c2cea99a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_2e957350c2cea99a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_2e957350c2cea99a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_2e957350c2cea99a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12705188,"ip":"93.123.118.31","ts":"2026-07-18 00:38:18.000000","proto":"tcp","src_port":45426,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.514250172906548, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e7535522b554a72d035e97a6be3eab62\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_e5a79e2a98ab5cfb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_e5a79e2a98ab5cfb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_e5a79e2a98ab5cfb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_e5a79e2a98ab5cfb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_e5a79e2a98ab5cfb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e4ef56ca460eeb5535ac4489a27579d23251201e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_e5a79e2a98ab5cfb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_e5a79e2a98ab5cfb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_e5a79e2a98ab5cfb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_e5a79e2a98ab5cfb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12705186,"ip":"93.123.118.31","ts":"2026-07-18 00:38:16.000000","proto":"tcp","src_port":45352,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.522861571961628, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022375c78b5f72585a464cce054bbff729b\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_98a02ae2ac642f12 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_98a02ae2ac642f12 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_98a02ae2ac642f12 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_98a02ae2ac642f12 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_98a02ae2ac642f12 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022384332367ff80214c5dd286dc75d1b636329bf6d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_98a02ae2ac642f12 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_98a02ae2ac642f12 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_98a02ae2ac642f12 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_98a02ae2ac642f12 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12705184,"ip":"93.123.118.31","ts":"2026-07-18 00:38:14.000000","proto":"tcp","src_port":45320,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.535494384600086, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a0a629385cd1935e20d7475d2d68c33c\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_0b5c973c32779205 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_0b5c973c32779205 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_0b5c973c32779205 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_0b5c973c32779205 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_0b5c973c32779205 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eff5ae16924f1a1413998583a597b16815caeefb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_0b5c973c32779205 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_0b5c973c32779205 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_0b5c973c32779205 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_0b5c973c32779205 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12704826,"ip":"93.123.118.31","ts":"2026-07-18 00:32:53.000000","proto":"tcp","src_port":60150,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.6, \u0022confidence\u0022: 0.6, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002256f33152f85e8df0a94aa2a6697b4aeb\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022397ffa76ba0a711218f59f76c740a9e996e2cbfc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022P3\ufffd(\ufffd\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 60, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000P3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022P3\ufffd(\ufffd\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 60 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9}],"total_events":331}