{"ip":"93.123.118.33","exported_at":"2026-07-18T02:50:34+00:00","period_days":1,"metrics":{"events7d":284,"distinct_ports":1,"distinct_classifications":3,"max_severity":7,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":46,"attack_stage":"exploit_attempt","attack_chain_stage":"reconnaissance","threat_family":["unknown"],"recommended_action":"monitor","confidence":0.69,"risk_breakdown":{"waf":8,"classification":68,"behavior":0,"geo":0,"protocol":40,"novelty":15},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"TA0001","top_mitre_technique":"TA0001","top_mitre_count":155,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)","campaign_hint_fr":"Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)","confidence_breakdown":{"waf":8,"classification":68,"behavior":0,"geo":0,"protocol":40,"novelty":15,"risk_score":46,"correlation_boost":10},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["scan_coordonn\u00e9"],"correlation_flags_labels_fr":["Scan coordonn\u00e9"],"confidence_pct":69,"confidence_hint_fr":"Corr\u00e9lation +10","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0284"],"tags_summary":["pat-0284"],"attack_vector":"xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)","protocol_details":{"payload_preview":"GET \/check_f79d1e2e46db7289 HTTP\/1.1\r\nHost: raw.bunnyfeet.baby\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi","port":1080,"service":"socks5","service_label_fr":"SOCKS5"},"protocol_summary_fr":"Payload GET \/check_f79d1e2e46db7289 HTTP\/1.1\r\nHost: raw.bunnyfeet.baby\r\u2026 \u00b7 SOCKS5:1080","evidence_snippet":"GET \/check_f79d1e2e46db7289 HTTP\/1.1\r\nHost: raw.bunnyfeet.baby\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi","target_port_label":"1080 \u00b7 SOCKS5","emulator_service":"socks5","confidence_reason":"Confiance 59 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%","classification_reason_label_fr":"Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%","confidence_factors_fr":"Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10","payload_preview":"GET \/check_f79d1e2e46db7289 HTTP\/1.1\r\nHost: raw.bunnyfeet.baby\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi"},"events":[{"id":12712343,"ip":"93.123.118.33","ts":"2026-07-18 02:29:24.000000","proto":"tcp","src_port":41506,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.542644045999958, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ab574704112548ba28771b1a14056774\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_f79d1e2e46db7289 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_f79d1e2e46db7289 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_f79d1e2e46db7289 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_f79d1e2e46db7289 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_f79d1e2e46db7289 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002247fd97436b3e18ffc6bc51267daf8048f54205cc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_f79d1e2e46db7289 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_f79d1e2e46db7289 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_f79d1e2e46db7289 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_f79d1e2e46db7289 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12712339,"ip":"93.123.118.33","ts":"2026-07-18 02:29:22.000000","proto":"tcp","src_port":41448,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.515901317781208, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022010ff0c6705f83bc79ab4d084d3bb4dc\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_237e26eac379cb9a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_237e26eac379cb9a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_237e26eac379cb9a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_237e26eac379cb9a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_237e26eac379cb9a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d3026e33e65ec82ab02b681afdd7bcf87f7fbc89\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_237e26eac379cb9a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_237e26eac379cb9a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_237e26eac379cb9a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_237e26eac379cb9a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12712337,"ip":"93.123.118.33","ts":"2026-07-18 02:29:20.000000","proto":"tcp","src_port":41396,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.522829842226735, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f888ffa2abf3e565770e45fbbbfdf41d\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_d91306d1779ac966 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_d91306d1779ac966 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_d91306d1779ac966 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_d91306d1779ac966 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_d91306d1779ac966 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022731e36197fdc0fda0458fd45b45e89551961984b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_d91306d1779ac966 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_d91306d1779ac966 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_d91306d1779ac966 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_d91306d1779ac966 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12712334,"ip":"93.123.118.33","ts":"2026-07-18 02:29:18.000000","proto":"tcp","src_port":55620,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.524344386670098, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002244c0c8d611a4230cc4de5773e0f895a3\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_dafa674189841fa4 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_dafa674189841fa4 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_dafa674189841fa4 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_dafa674189841fa4 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_dafa674189841fa4 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224b44e7f9e225e5e3ecc099c481c5ae7fa861e852\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_dafa674189841fa4 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_dafa674189841fa4 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_dafa674189841fa4 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_dafa674189841fa4 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12712328,"ip":"93.123.118.33","ts":"2026-07-18 02:29:15.000000","proto":"tcp","src_port":55590,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.524639324608103, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bd5a5423931916c7f2e795f3d99bdf14\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_40645d362f3ec51c HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_40645d362f3ec51c HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_40645d362f3ec51c HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_40645d362f3ec51c HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_40645d362f3ec51c HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002222e3292a89d88df5401b8f0e8ff06532b2a05802\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_40645d362f3ec51c HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_40645d362f3ec51c HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_40645d362f3ec51c HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_40645d362f3ec51c HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12712329,"ip":"93.123.118.33","ts":"2026-07-18 02:29:15.000000","proto":"tcp","src_port":55596,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.515838108954887, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221f640a62040f720d36acbf92fa574853\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_139f79161a65fef0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_139f79161a65fef0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_139f79161a65fef0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_139f79161a65fef0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_139f79161a65fef0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002215d7b405b4c951d42b3ded2dd971c798582471dd\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_139f79161a65fef0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_139f79161a65fef0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_139f79161a65fef0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_139f79161a65fef0 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12712327,"ip":"93.123.118.33","ts":"2026-07-18 02:29:13.000000","proto":"tcp","src_port":55546,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.516843966062327, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002233159b34cfba34aca3e246aa5209c246\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_767aeaff804dc1d3 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_767aeaff804dc1d3 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_767aeaff804dc1d3 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_767aeaff804dc1d3 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_767aeaff804dc1d3 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228bdb12f0b73ef17c89fc79a1ab332feb8492a8c1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_767aeaff804dc1d3 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_767aeaff804dc1d3 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_767aeaff804dc1d3 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_767aeaff804dc1d3 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12712324,"ip":"93.123.118.33","ts":"2026-07-18 02:29:11.000000","proto":"tcp","src_port":55490,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.530920489483484, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225350db7befe2bf79b2b0c899c2983b99\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_aec72224651c5295 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_aec72224651c5295 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_aec72224651c5295 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_aec72224651c5295 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_aec72224651c5295 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002205a9859c459a77516f616184036babfe3a88e546\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_aec72224651c5295 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_aec72224651c5295 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_aec72224651c5295 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_aec72224651c5295 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12712323,"ip":"93.123.118.33","ts":"2026-07-18 02:29:09.000000","proto":"tcp","src_port":39856,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.5274079160151, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022384abbefbce7daced069bcf09fdf6092\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_fcf4d6b13468ebd9 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_fcf4d6b13468ebd9 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_fcf4d6b13468ebd9 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_fcf4d6b13468ebd9 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_fcf4d6b13468ebd9 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f7c8dbfac8f8d3b8229080be28a2fe34a5748ba6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_fcf4d6b13468ebd9 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_fcf4d6b13468ebd9 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_fcf4d6b13468ebd9 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_fcf4d6b13468ebd9 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12712322,"ip":"93.123.118.33","ts":"2026-07-18 02:29:07.000000","proto":"tcp","src_port":39798,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.519381384389289, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bb617e49cd30ee6c426ff02a689c1463\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_4c260bcc99ee8b73 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_4c260bcc99ee8b73 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_4c260bcc99ee8b73 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_4c260bcc99ee8b73 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_4c260bcc99ee8b73 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022011e31ff359e6061e88ef50ddd3decc64a4817a7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_4c260bcc99ee8b73 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_4c260bcc99ee8b73 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_4c260bcc99ee8b73 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_4c260bcc99ee8b73 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12712018,"ip":"93.123.118.33","ts":"2026-07-18 02:23:58.000000","proto":"tcp","src_port":54850,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 63, \u0022payload_entropy\u0022: 4.744760233154764, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002258759936be390431371c0167a17d69af\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022733dd8db066d82bf387b496bd25a0c086286f8e0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 13, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":63},{"id":12712017,"ip":"93.123.118.33","ts":"2026-07-18 02:23:56.000000","proto":"tcp","src_port":54758,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 63, \u0022payload_entropy\u0022: 4.8202346379510095, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a17d1dd8bc29ec51040ed0dda8622d57\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022339b11050edd15434144282c6f4536e9341f0ec3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.195.40.238:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 13, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":63},{"id":12712014,"ip":"93.123.118.33","ts":"2026-07-18 02:23:53.000000","proto":"tcp","src_port":54694,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 63, \u0022payload_entropy\u0022: 4.744760233154764, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002258759936be390431371c0167a17d69af\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022733dd8db066d82bf387b496bd25a0c086286f8e0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 12, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":63},{"id":12712010,"ip":"93.123.118.33","ts":"2026-07-18 02:23:51.000000","proto":"tcp","src_port":54638,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 67, \u0022payload_entropy\u0022: 4.57879455625263, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223fdc7c20e114ad1340e061e8ec176d50\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229f257e0e1d7f96ea51719a4f64026c7d5bab4028\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 13, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":67},{"id":12712001,"ip":"93.123.118.33","ts":"2026-07-18 02:23:45.000000","proto":"tcp","src_port":46198,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 67, \u0022payload_entropy\u0022: 4.57879455625263, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223fdc7c20e114ad1340e061e8ec176d50\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229f257e0e1d7f96ea51719a4f64026c7d5bab4028\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 14, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":67},{"id":12709903,"ip":"93.123.118.33","ts":"2026-07-18 01:51:48.000000","proto":"tcp","src_port":39504,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 63, \u0022payload_entropy\u0022: 4.845784486751593, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022005ab9fc076c7e898310c34306b5493e\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aad4c6b465f7b3ac35071700bc30b846211e4c16\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 172.67.140.99:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":63},{"id":12709892,"ip":"93.123.118.33","ts":"2026-07-18 01:51:42.000000","proto":"tcp","src_port":39322,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 63, \u0022payload_entropy\u0022: 4.7068180184632835, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ab483faf8fad9c4a44b7066cda2dbb38\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022593edc8a9a8cc2750d53d8414602433a13c4d14e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 104.21.40.244:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":63},{"id":12709889,"ip":"93.123.118.33","ts":"2026-07-18 01:51:39.000000","proto":"tcp","src_port":39290,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 68, \u0022payload_entropy\u0022: 4.603729709050619, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b46e85c2efda6d6a8325211b76e03dd9\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002206cd9195b625b9a87ae1520fb9349262f58019ff\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":68},{"id":12709880,"ip":"93.123.118.33","ts":"2026-07-18 01:51:33.000000","proto":"tcp","src_port":43990,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 68, \u0022payload_entropy\u0022: 4.603729709050619, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b46e85c2efda6d6a8325211b76e03dd9\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002206cd9195b625b9a87ae1520fb9349262f58019ff\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT raw.bunnyfeet.baby:80 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":68},{"id":12708633,"ip":"93.123.118.33","ts":"2026-07-18 01:35:18.000000","proto":"tcp","src_port":51430,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ea9fdabe5c0655ede7326703b196bd27\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aa9543447a931ab2dc79f0913f2846c67fac90d3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd3\ufffd(\ufffd\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd3\ufffd(\ufffd\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12708627,"ip":"93.123.118.33","ts":"2026-07-18 01:35:14.000000","proto":"tcp","src_port":51388,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fa7aa61033535afa526dd888eb4db7dc\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220dc89c1c81003537abba78ad789d4fa8af9a70ba\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd3\u078c2\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd3\u078c2\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12708174,"ip":"93.123.118.33","ts":"2026-07-18 01:29:00.000000","proto":"tcp","src_port":51920,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 425, \u0022payload_entropy\u0022: 5.477044611256336, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022646ce5627e54e13509e55db72f0e58ba\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_dc9a894d1407ea6f HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; \u0022, \u0022request_sample\u0022: \u0022GET \/check_dc9a894d1407ea6f HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_dc9a894d1407ea6f HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_dc9a894d1407ea6f HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_dc9a894d1407ea6f HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224c07f3b85f68be4a8b0082dd5e811748ec232be3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_dc9a894d1407ea6f HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_dc9a894d1407ea6f HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_dc9a894d1407ea6f HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_dc9a894d1407ea6f HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":425},{"id":12708171,"ip":"93.123.118.33","ts":"2026-07-18 01:28:58.000000","proto":"tcp","src_port":56410,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 425, \u0022payload_entropy\u0022: 5.4778593647480545, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002209d59d710786985f2c4f1fd7ec6301d4\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_15f596cac76ffab9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; \u0022, \u0022request_sample\u0022: \u0022GET \/check_15f596cac76ffab9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_15f596cac76ffab9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_15f596cac76ffab9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_15f596cac76ffab9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bccc6e0ddc269c33d60fe0b0bc19bb1005ca2526\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_15f596cac76ffab9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_15f596cac76ffab9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_15f596cac76ffab9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_15f596cac76ffab9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":425},{"id":12708166,"ip":"93.123.118.33","ts":"2026-07-18 01:28:56.000000","proto":"tcp","src_port":56354,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 425, \u0022payload_entropy\u0022: 5.478655488998352, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224e4ca44549812809182cb29009d14933\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_08374933ab5ea5d0 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; \u0022, \u0022request_sample\u0022: \u0022GET \/check_08374933ab5ea5d0 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_08374933ab5ea5d0 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_08374933ab5ea5d0 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_08374933ab5ea5d0 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bc6b621ac31dc38051efd806b5521a117192953f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_08374933ab5ea5d0 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_08374933ab5ea5d0 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_08374933ab5ea5d0 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_08374933ab5ea5d0 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 13, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":425},{"id":12708162,"ip":"93.123.118.33","ts":"2026-07-18 01:28:54.000000","proto":"tcp","src_port":56282,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 425, \u0022payload_entropy\u0022: 5.495657630805128, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002243382a7ab7b54b5ffb7c2a9f859eb51a\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_6bd7cbc35d21d74c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; \u0022, \u0022request_sample\u0022: \u0022GET \/check_6bd7cbc35d21d74c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_6bd7cbc35d21d74c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_6bd7cbc35d21d74c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_6bd7cbc35d21d74c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cb2c7a0e48bad8b0c4c48a5cd7771510dde8c005\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_6bd7cbc35d21d74c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_6bd7cbc35d21d74c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_6bd7cbc35d21d74c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_6bd7cbc35d21d74c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 13, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":425},{"id":12708157,"ip":"93.123.118.33","ts":"2026-07-18 01:28:52.000000","proto":"tcp","src_port":56206,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 425, \u0022payload_entropy\u0022: 5.495053817779345, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220fe3c24038644bf57a23e6d60aa41fa1\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_6e6dd4d96e87d2b9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; \u0022, \u0022request_sample\u0022: \u0022GET \/check_6e6dd4d96e87d2b9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_6e6dd4d96e87d2b9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_6e6dd4d96e87d2b9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_6e6dd4d96e87d2b9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227d847106277ea711f80135e5f43b1780fbf0f957\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_6e6dd4d96e87d2b9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_6e6dd4d96e87d2b9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_6e6dd4d96e87d2b9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_6e6dd4d96e87d2b9 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 13, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":425},{"id":12708158,"ip":"93.123.118.33","ts":"2026-07-18 01:28:52.000000","proto":"tcp","src_port":56216,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 425, \u0022payload_entropy\u0022: 5.480979914989906, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002264d9597a6639d95ff92cac81266151af\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_bea87bbe9add2fab HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; \u0022, \u0022request_sample\u0022: \u0022GET \/check_bea87bbe9add2fab HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_bea87bbe9add2fab HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_bea87bbe9add2fab HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_bea87bbe9add2fab HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b5ced8a5c9eb0674ef9329550eca06ce9fb2deb2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_bea87bbe9add2fab HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_bea87bbe9add2fab HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_bea87bbe9add2fab HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_bea87bbe9add2fab HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 13, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":425},{"id":12708153,"ip":"93.123.118.33","ts":"2026-07-18 01:28:50.000000","proto":"tcp","src_port":56162,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 425, \u0022payload_entropy\u0022: 5.4838423708367445, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002256c2e6088d7042ef6d0f6b9626b8211e\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_9991988aef47840c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; \u0022, \u0022request_sample\u0022: \u0022GET \/check_9991988aef47840c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_9991988aef47840c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_9991988aef47840c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_9991988aef47840c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c13d5fbb46f3568d3678151ab59077eb3e2829e7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_9991988aef47840c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_9991988aef47840c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_9991988aef47840c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_9991988aef47840c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 13, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":425},{"id":12708151,"ip":"93.123.118.33","ts":"2026-07-18 01:28:48.000000","proto":"tcp","src_port":43644,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 425, \u0022payload_entropy\u0022: 5.499256886108656, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f1ec50c79181ac634ba4bcc470b816bb\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_4b0328dc9f1bdaf7 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; \u0022, \u0022request_sample\u0022: \u0022GET \/check_4b0328dc9f1bdaf7 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_4b0328dc9f1bdaf7 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_4b0328dc9f1bdaf7 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_4b0328dc9f1bdaf7 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227e0a57993866718e776a8999d803f4f9e3475e8f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_4b0328dc9f1bdaf7 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_4b0328dc9f1bdaf7 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_4b0328dc9f1bdaf7 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_4b0328dc9f1bdaf7 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 13, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":425},{"id":12708149,"ip":"93.123.118.33","ts":"2026-07-18 01:28:46.000000","proto":"tcp","src_port":43614,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 425, \u0022payload_entropy\u0022: 5.496610419345599, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002208328394102616de1f7c37dd524dd50e\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_75036296a7b10fd4 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; \u0022, \u0022request_sample\u0022: \u0022GET \/check_75036296a7b10fd4 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_75036296a7b10fd4 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_75036296a7b10fd4 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_75036296a7b10fd4 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002223ece99b3d78d83b89c932e2a4700ee1059c7c02\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_75036296a7b10fd4 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_75036296a7b10fd4 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_75036296a7b10fd4 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_75036296a7b10fd4 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 13, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":425},{"id":12708146,"ip":"93.123.118.33","ts":"2026-07-18 01:28:44.000000","proto":"tcp","src_port":43564,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 425, \u0022payload_entropy\u0022: 5.485422552386614, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228dd0cb905a5c636b66efaee0a465a92e\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_ce40d8d786b1d54c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; \u0022, \u0022request_sample\u0022: \u0022GET \/check_ce40d8d786b1d54c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_ce40d8d786b1d54c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_ce40d8d786b1d54c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_ce40d8d786b1d54c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221e4e67ef488595ec5eb8f1c358e3ec38c27883ba\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_ce40d8d786b1d54c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_ce40d8d786b1d54c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_ce40d8d786b1d54c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_ce40d8d786b1d54c HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 12, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":425},{"id":12708005,"ip":"93.123.118.33","ts":"2026-07-18 01:27:26.000000","proto":"tcp","src_port":51126,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 67, \u0022payload_entropy\u0022: 4.57879455625263, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223fdc7c20e114ad1340e061e8ec176d50\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229f257e0e1d7f96ea51719a4f64026c7d5bab4028\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:443 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 12, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":67},{"id":12707340,"ip":"93.123.118.33","ts":"2026-07-18 01:16:10.000000","proto":"tcp","src_port":60170,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.54147465346758, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022120c2cf17af2f3ff04381b480d49dfc5\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_887cd213134d9fe7 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_887cd213134d9fe7 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_887cd213134d9fe7 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_887cd213134d9fe7 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_887cd213134d9fe7 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225ec4e8c215ff2fc99547f40cce3bff2379f9e9d2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_887cd213134d9fe7 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_887cd213134d9fe7 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_887cd213134d9fe7 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_887cd213134d9fe7 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12707333,"ip":"93.123.118.33","ts":"2026-07-18 01:16:08.000000","proto":"tcp","src_port":55948,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.500448808004832, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226c9a4d22ba3284cba4d201a98dfc93dc\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_48ad08ebc3feaa08 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_48ad08ebc3feaa08 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_48ad08ebc3feaa08 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_48ad08ebc3feaa08 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_48ad08ebc3feaa08 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002280a894c9472ca279bb6acb80ab61140db43f4df2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_48ad08ebc3feaa08 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_48ad08ebc3feaa08 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_48ad08ebc3feaa08 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_48ad08ebc3feaa08 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12707332,"ip":"93.123.118.33","ts":"2026-07-18 01:16:06.000000","proto":"tcp","src_port":55928,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.518651899306761, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002265360df9df8100034463a88a9ac26ffc\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_16787e77e56cd860 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_16787e77e56cd860 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_16787e77e56cd860 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_16787e77e56cd860 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_16787e77e56cd860 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ab261113a5bdaf4f2ee0c7df7d0eb0d3fba20445\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_16787e77e56cd860 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_16787e77e56cd860 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_16787e77e56cd860 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_16787e77e56cd860 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12707325,"ip":"93.123.118.33","ts":"2026-07-18 01:16:04.000000","proto":"tcp","src_port":55894,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.532408986279367, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f76e3f1761fdbdedea102425ec761ad3\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_267fd3f4c75cce8b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_267fd3f4c75cce8b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_267fd3f4c75cce8b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_267fd3f4c75cce8b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_267fd3f4c75cce8b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002286c6ee3a870c3d771de2972bfc716a62acf7623b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_267fd3f4c75cce8b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_267fd3f4c75cce8b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_267fd3f4c75cce8b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_267fd3f4c75cce8b HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12707322,"ip":"93.123.118.33","ts":"2026-07-18 01:16:02.000000","proto":"tcp","src_port":55820,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.526720356924685, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022dd004c8690e4a51177a3aadafe015c1b\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_448970f0fe9936f1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_448970f0fe9936f1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_448970f0fe9936f1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_448970f0fe9936f1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_448970f0fe9936f1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d4b97bb1bf035d6e2796d9f3d2d9e42f3ea763b6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_448970f0fe9936f1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_448970f0fe9936f1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_448970f0fe9936f1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_448970f0fe9936f1 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12707321,"ip":"93.123.118.33","ts":"2026-07-18 01:16:01.000000","proto":"tcp","src_port":55798,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.539792326232548, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228424f679da4e1965b04e9e8ef7c470a6\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_84464ac4f2082bdd HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_84464ac4f2082bdd HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_84464ac4f2082bdd HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_84464ac4f2082bdd HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_84464ac4f2082bdd HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224a6a465b3f8ab94a9ebeac75b9440ca4faca4d5d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_84464ac4f2082bdd HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_84464ac4f2082bdd HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_84464ac4f2082bdd HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_84464ac4f2082bdd HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12707318,"ip":"93.123.118.33","ts":"2026-07-18 01:15:59.000000","proto":"tcp","src_port":57870,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.515858613873282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223325e2e8e8046dadbedf9349fe48439e\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_5578553eb37dc10e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_5578553eb37dc10e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_5578553eb37dc10e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_5578553eb37dc10e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_5578553eb37dc10e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224fd18e96968afd1518b8f1506b5766fdf8c619b4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_5578553eb37dc10e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_5578553eb37dc10e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_5578553eb37dc10e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_5578553eb37dc10e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12707314,"ip":"93.123.118.33","ts":"2026-07-18 01:15:57.000000","proto":"tcp","src_port":57844,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.534196655391208, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a0c01a47243b61801e5673ab2617211d\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_00525f543b080781 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_00525f543b080781 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_00525f543b080781 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_00525f543b080781 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_00525f543b080781 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223f75cac6aa663b923e64ae10bd15e313050727c3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_00525f543b080781 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_00525f543b080781 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_00525f543b080781 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_00525f543b080781 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12707309,"ip":"93.123.118.33","ts":"2026-07-18 01:15:55.000000","proto":"tcp","src_port":57812,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.516900852953619, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002231ebafb187216e94c5baba2cf681c8a9\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_fadfefaf39a61241 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_fadfefaf39a61241 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_fadfefaf39a61241 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_fadfefaf39a61241 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_fadfefaf39a61241 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224bdfb27f38b7d509f38a492f5d935947732d4d80\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_fadfefaf39a61241 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_fadfefaf39a61241 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_fadfefaf39a61241 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_fadfefaf39a61241 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12707305,"ip":"93.123.118.33","ts":"2026-07-18 01:15:53.000000","proto":"tcp","src_port":57772,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.522486905436945, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002288494d42b7230e0ef57bb4744590b734\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_f3acf6f7e4918b93 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_f3acf6f7e4918b93 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_f3acf6f7e4918b93 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_f3acf6f7e4918b93 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_f3acf6f7e4918b93 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022266a8902092c6f337566dd991031c21bc8b8fd7e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_f3acf6f7e4918b93 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_f3acf6f7e4918b93 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_f3acf6f7e4918b93 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_f3acf6f7e4918b93 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12706977,"ip":"93.123.118.33","ts":"2026-07-18 01:10:14.000000","proto":"tcp","src_port":49944,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 64, \u0022payload_entropy\u0022: 4.800093945008263, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d3bf7cd19e565c702214715bf1bf1eca\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022059c253399933912b002d700196062523054bc87\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 8, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":64},{"id":12706966,"ip":"93.123.118.33","ts":"2026-07-18 01:10:08.000000","proto":"tcp","src_port":40796,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 64, \u0022payload_entropy\u0022: 4.632048827786958, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d75e24c5a576ed37196f35fc7edd2b56\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002260d0ad25903466ca1947e748217e7b50c8909526\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 8, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":64},{"id":12706963,"ip":"93.123.118.33","ts":"2026-07-18 01:10:05.000000","proto":"tcp","src_port":40746,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 69, \u0022payload_entropy\u0022: 4.564995565995301, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b2875e36d72f192d3fc71a7c8c4e28b9\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f161c96739b65cf8b6a836fb8926964bd6a731eb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 8, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":69},{"id":12706960,"ip":"93.123.118.33","ts":"2026-07-18 01:09:59.000000","proto":"tcp","src_port":52174,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 69, \u0022payload_entropy\u0022: 4.564995565995301, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b2875e36d72f192d3fc71a7c8c4e28b9\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f161c96739b65cf8b6a836fb8926964bd6a731eb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":69},{"id":12706249,"ip":"93.123.118.33","ts":"2026-07-18 00:58:15.000000","proto":"tcp","src_port":43692,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022df8005337761b32b101374e3ff5ece90\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226054d7b182669d0ab565897d18912c9fe97d22bf\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdC\ufffdc\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdC\ufffdc\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 6, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12706245,"ip":"93.123.118.33","ts":"2026-07-18 00:58:10.000000","proto":"tcp","src_port":43592,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022deab96328757c57430c3da1064ee2174\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222b68b7b0b4fcdefd18a1de6a9fca01ccf71fe94d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdh(\ufffd\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdh(\ufffd\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 6, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12705892,"ip":"93.123.118.33","ts":"2026-07-18 00:50:51.000000","proto":"tcp","src_port":46692,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 78, \u0022payload_entropy\u0022: 4.919972815477404, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ae0dc8356b2f750ce8e39cda6583f171\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222f1dcf7a6322efb92ebdf33e294ef3416ec3838f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":78},{"id":12705891,"ip":"93.123.118.33","ts":"2026-07-18 00:50:49.000000","proto":"tcp","src_port":34990,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 78, \u0022payload_entropy\u0022: 4.990610956558519, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002217989be0b63663495e356a7182efab43\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002242f72f2accfe00ef161dd6f60794d00b51c683ae\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: make-internet-safer-for-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":78}],"total_events":284}